ragrep (1) - Linux Man Pages
ragrep: grep argus(8) user captured data.
NAMEragrep - grep argus(8) user captured data.
SYNOPSISragrep [options] -e pattern [raoptions] [-- filter-expression]
ragrep [options] -f file [raoptions] [- filter-expression]
Ragrep reads argus data from an argus-data source, greps the records based on the regexp specified on the command line, and outputs a valid argus-stream.
Ragrep works only on the fields for user captured data. Argus must be started with the configration option ARGUS_CAPTURE_DATA_LEN set to a value greater than 0, to have these data captured. See argus.conf(5) for detail.
OPTIONSRagrep, like all ra based clients, supports a number of ra options including filtering of input argus records through a terminating filter expression. See ra(1) for a complete description of ra options. ragrep(1) specific options are:
Suppress normal output; instead print a count of
matching lines for each input file.
option (see below), count non-matching lines.
- -e <regex>
Match regular expression in flow user data fields. Prepend the regex with
either "s:" or "d:" to limit the match to either the source or destination
user data fields. Examples include:
"^SSH-" - Look for ssh connections on any port. "s:^GET" - Look for HTTP GET requests in the source buffer. "d:^HTTP.*Unauth" - Find unauthorized http response.
- -f FILE
Obtain patterns from
one per line.
The empty file contains zero patterns, and therefore matches nothing.
Ignore case distinctions in both the
and the input files.
Suppress normal output; instead print the name
of each input file from which no output would
normally have been printed. The scanning will stop
on the first match.
Suppress normal output; instead print
the name of each input file from which output
would normally have been printed. The scanning will
stop on the first match.
Quiet; do not write anything to standard output.
Exit immediately with zero status if any match is found,
even if an error was detected.
Read all files under each directory, recursively;
this is equivalent to the
Reverse the expression matching logic.
Normally, exit status is 0 if selected records are found and 1 otherwise. But the exit status is 2 if an error occurred, unless the -q option is used and a selected line is found.
INVOCATIONA sample invocation of ragrep(1). This call reads argus(8) data from inputfile and greps all http transactions that generated a "404 Not Found" error.
- ragrep -r inputfile -e "HTTP.*404"
COPYRIGHTCopyright (c) 2000-2016 QoSient. All rights reserved.
Carter Bullard (carter [at] qosient.com).