SiLK

NAME

rwipaexport - Export IPA datasets to SiLK binary data files

SYNOPSIS

  rwipaexport --catalog=CATALOG [--time=TIME] [--prefix-map-name=NAME]
        [--note-add=TEXT] [--note-file-add=FILE]
        [--compression-method=COMP_METHOD] OUTPUT_FILE

  rwipaexport --help

  rwipaexport --version

DESCRIPTION

rwipaexport exports data from an IPA (IP Association, http://tools.netsa.cert.org/ipa/) data store to a SiLK IPset, Bag, or prefix map file, depending on the type of the stored IPA catalog. For catalogs with time information (e.g. time period at which the stored data is considered valid) data can be selected for a specific time of interest.

OPTIONS

Option names may be abbreviated if the abbreviation is unique or is an exact match for an option. A parameter to an option may be specified as --arg=param or --arg param, though the first form is required for options that take optional parameters.

--catalog=CATALOG_NAME

Specifies the name of the IPA catalog to export from.

--time=TIME

This argument allows you to export a dataset that was active at TIME. The expected format of this option is YYYY/MM/DD[:HH[:MM[:SS]]]. A dataset will only be returned if TIME falls between the start and end time for the dataset. If this option is not specified, the current time will be used. See the TIME RANGES section of ipaimport(1) for more information about how time ranges are used in IPA.

--prefix-map-name=NAME

When creating a prefix map file, add NAME to the header of the file as the map-name. When this switch is not specified, no map-name is written to the file. If the output is not a prefix map file, the --prefix-map-file switch is ignored.

--note-add=TEXT

Add the specified TEXT to the header of the output file as an annotation. This switch may be repeated to add multiple annotations to a file. To view the annotations, use the rwfileinfo(1) tool.

--note-file-add=FILENAME

Open FILENAME and add the contents of that file to the header of the output file as an annotation. This switch may be repeated to add multiple annotations. Currently the application makes no effort to ensure that FILENAME contains text; be careful that you do not attempt to add a SiLK data file as an annotation.

--compression-method=COMP_METHOD

Specify the compression library to use when writing output files. If this switch is not given, the value in the SILK_COMPRESSION_METHOD environment variable is used if the value names an available compression method. When no compression method is specified, output to the standard output or to named pipes is not compressed, and output to files is compressed using the default chosen when SiLK was compiled. The valid values for COMP_METHOD are determined by which external libraries were found when SiLK was compiled. To see the available compression methods and the default method, use the --help or --version switch. SiLK can support the following COMP_METHOD values when the required libraries are available.

none

Do not compress the output using an external library.

zlib

Use the zlib(3) library for compressing the output, and always compress the output regardless of the destination. Using zlib produces the smallest output files at the cost of speed.

lzo1x

Use the lzo1x algorithm from the LZO real time compression library for compression, and always compress the output regardless of the destination. This compression provides good compression with less memory and CPU overhead.

snappy

Use the snappy library for compression, and always compress the output regardless of the destination. This compression provides good compression with less memory and CPU overhead. Since SiLK 3.13.0.

best

Use lzo1x if available, otherwise use snappy if available, otherwise use zlib if available. Only compress the output when writing to a file.

--help

Print the available options and exit.

--version

Print the version number and information about how SiLK was configured, then exit the application.

EXAMPLES

In the following examples, the dollar sign ($) represents the shell prompt. The text after the dollar sign represents the command line. Lines have been wrapped for improved readability, and the back slash (\) is used to indicate a wrapped line.

To export the badhosts IPset from an IPA set catalog into the file badhosts.set where there is no time information:

 $ rwipaexport --catalog=badhosts badhosts.set

To export the flowcount Bag from an IPA bag catalog into the file flowcount-20070415.bag where there is time information:

 $ rwipaexport --catalog=flowcount --time=2007/04/15  \
        flowcount-20070415.bag

ENVIRONMENT

SILK_CLOBBER

The SiLK tools normally refuse to overwrite existing files. Setting SILK_CLOBBER to a non-empty value removes this restriction.

SILK_COMPRESSION_METHOD

This environment variable is used as the value for --compression-method when that switch is not provided. Since SiLK 3.13.0.

SILK_PATH

This environment variable gives the root of the directory tree where the tools are installed. When searching for the silk-ipa.conf configuration file, rwipaexport may use this environment variable. See the "FILES" section for details.

FILES

$SILK_PATH/share/silk/silk-ipa.conf

$SILK_PATH/share/silk-ipa.conf

/usr/share/silk/silk-ipa.conf

/usr/share/silk-ipa.conf

Possible locations for the IPA configuration file. This file contains the URI for connecting to the IPA database. If the configuration file does not exist, rwipaexport will exit with an error. The format of this URI is driver://user:pass-word@hostname/database. For example:

 postgresql://ipauser:secret@database-server.domain.com/ipa

SEE ALSO

rwipaimport(1), rwfileinfo(1), ipafilter(3), silk(7), ipaimport(1), ipaexport(1), ipaquery(1), zlib(3)