RAGREP(1) | General Commands Manual | RAGREP(1) |
ragrep - grep argus(8) user captured data.
ragrep [options] -e pattern
[raoptions] [-- filter-expression]
ragrep [options] -f file [raoptions] [-
filter-expression]
Ragrep reads argus data from an argus-data source, greps the records based on the regexp specified on the command line, and outputs a valid argus-stream.
Ragrep works only on the fields for user captured data. Argus must be started with the configration option ARGUS_CAPTURE_DATA_LEN set to a value greater than 0, to have these data captured. See argus.conf(5) for detail.
Ragrep is based on GNU grep(1), so the regexp syntax is the same as for grep(1).
Ragrep, like all ra based clients, supports a number of ra options including filtering of input argus records through a terminating filter expression. See ra(1) for a complete description of ra options. ragrep(1) specific options are:
"^SSH-" - Look for ssh connections on any port.
"s:^GET" - Look for HTTP GET requests in the source buffer.
"d:^HTTP.*Unauth" - Find unauthorized http response.
Normally, exit status is 0 if selected records are found and 1 otherwise. But the exit status is 2 if an error occurred, unless the -q option is used and a selected line is found.
A sample invocation of ragrep(1). This call reads argus(8) data from inputfile and greps all http transactions that generated a "404 Not Found" error.
Copyright (c) 2000-2016 QoSient. All rights reserved.
Carter Bullard (carter@qosient.com).
15 March 2010 | ragrep 3.0.8 |