Nfdump suite » History » Version 1
Charles Atkinson, 02/06/2022 12:23
| 1 | 1 | Charles Atkinson | h1. nfdump suite |
|---|---|---|---|
| 2 | 1 | Charles Atkinson | |
| 3 | 1 | Charles Atkinson | {{toc}} |
| 4 | 1 | Charles Atkinson | |
| 5 | 1 | Charles Atkinson | h1. Introduction |
| 6 | 1 | Charles Atkinson | |
| 7 | 1 | Charles Atkinson | This page has information about the nfdump suite. It is intended to be publicly useful |
| 8 | 1 | Charles Atkinson | |
| 9 | 1 | Charles Atkinson | The name "nfdump suite" is potentially misleading because nfdump is one of six Netflow utilities in the suite: nfcapd, nfdump, nfexpire, nfprofile, nfreplay and nftrack. nfdump translates the binary netlow record files created by nfcapd (Netflow capture daemon) into human readable form |
| 10 | 1 | Charles Atkinson | |
| 11 | 1 | Charles Atkinson | The nfdump suite was closely related to the now defunct nfsen. Nfsen was a web GUI which used nfdump to generate data for interactive display |
| 12 | 1 | Charles Atkinson | |
| 13 | 1 | Charles Atkinson | h2. Related documentation |
| 14 | 1 | Charles Atkinson | |
| 15 | 1 | Charles Atkinson | * https://github.com/phaag/nfdump |
| 16 | 1 | Charles Atkinson | * man pages |
| 17 | 1 | Charles Atkinson | |
| 18 | 1 | Charles Atkinson | h1. nfdump setup |
| 19 | 1 | Charles Atkinson | |
| 20 | 1 | Charles Atkinson | This is actually about setting up an nfcapd service but the default names include nfdump |
| 21 | 1 | Charles Atkinson | |
| 22 | 1 | Charles Atkinson | h2. semop() error in bookkeeper.c line ...: Invalid argument" |
| 23 | 1 | Charles Atkinson | |
| 24 | 1 | Charles Atkinson | These error messages were fixed by adding ... |
| 25 | 1 | Charles Atkinson | <pre> |
| 26 | 1 | Charles Atkinson | RemoveIPC=no |
| 27 | 1 | Charles Atkinson | </pre>... to /etc/systemd/logind.conf and effecting it by |
| 28 | 1 | Charles Atkinson | <pre> |
| 29 | 1 | Charles Atkinson | systemctl daemon-reload |
| 30 | 1 | Charles Atkinson | systemctl restart systemd-logind.service |
| 31 | 1 | Charles Atkinson | </pre> |
| 32 | 1 | Charles Atkinson | |
| 33 | 1 | Charles Atkinson | h2. Setup itself |
| 34 | 1 | Charles Atkinson | |
| 35 | 1 | Charles Atkinson | Example for "edge1" using directory sub hierarchy scheme number 1. Directory sub hierarchy schemes are listed in the nfcapd man page |
| 36 | 1 | Charles Atkinson | |
| 37 | 1 | Charles Atkinson | The network device had been set up to send netflow packets to the nfdump suite server. That was specific to the type of device so is not shown here |
| 38 | 1 | Charles Atkinson | |
| 39 | 1 | Charles Atkinson | Setup took a long time because no complete guide was found. Hence this page |
| 40 | 1 | Charles Atkinson | |
| 41 | 1 | Charles Atkinson | The following procedure was assembled from notes so may not be exactly right but it should be a good starting point |
| 42 | 1 | Charles Atkinson | * Created user nfcapd |
| 43 | 1 | Charles Atkinson | * Created directory /var/cache/nfdump/edge1 nfcapd:nfcapd rwxr-xr-x |
| 44 | 1 | Charles Atkinson | * Set up netflow record expiry. As user nfcapd |
| 45 | 1 | Charles Atkinson | <pre> |
| 46 | 1 | Charles Atkinson | nfexpire -t $((365*3))d -u /var/cache/nfdump/edge1 |
| 47 | 1 | Charles Atkinson | </pre> |
| 48 | 1 | Charles Atkinson | * Created /etc/nfdump/edge1.conf by copying /etc/nfdump and editing |
| 49 | 1 | Charles Atkinson | <pre> |
| 50 | 1 | Charles Atkinson | root@storage3.iciti.av:~# diff /etc/nfdump/default.conf /etc/nfdump/edge1.conf |
| 51 | 1 | Charles Atkinson | ... |
| 52 | 1 | Charles Atkinson | < #cache_directory=/var/cache/nfdump |
| 53 | 1 | Charles Atkinson | < #user=root |
| 54 | 1 | Charles Atkinson | < #group=root |
| 55 | 1 | Charles Atkinson | --- |
| 56 | 1 | Charles Atkinson | > cache_directory=/var/cache/nfdump/edge1 |
| 57 | 1 | Charles Atkinson | > user=nfcapd |
| 58 | 1 | Charles Atkinson | > group=nfcapd |
| 59 | 1 | Charles Atkinson | 28c56 |
| 60 | 1 | Charles Atkinson | < options='-l /var/cache/nfdump -p 2055' |
| 61 | 1 | Charles Atkinson | --- |
| 62 | 1 | Charles Atkinson | > options='-e -g nfcapd -l /var/cache/nfdump/edge1 -p 2055 -S1 -u nfcapd' |
| 63 | 1 | Charles Atkinson | </pre> |
| 64 | 1 | Charles Atkinson | * Fixed a /run permissions difficulty by creating /etc/systemd/system/nfdump@.service |
| 65 | 1 | Charles Atkinson | <pre> |
| 66 | 1 | Charles Atkinson | diff /lib/systemd/system/nfdump@.service /etc/systemd/system/nfdump@.service |
| 67 | 1 | Charles Atkinson | 10,11c10,11 |
| 68 | 1 | Charles Atkinson | < ExecStart=/usr/bin/nfcapd -D -P /run/nfcapd.%I.pid $options |
| 69 | 1 | Charles Atkinson | < PIDFile=/run/nfcapd.%I.pid |
| 70 | 1 | Charles Atkinson | --- |
| 71 | 1 | Charles Atkinson | > ExecStart=/usr/bin/nfcapd -D -P /tmp/nfcapd.%I.pid $options |
| 72 | 1 | Charles Atkinson | > PIDFile=/tmp/nfcapd.%I.pid |
| 73 | 1 | Charles Atkinson | </pre> |
| 74 | 1 | Charles Atkinson | * Created a templated service |
| 75 | 1 | Charles Atkinson | <pre> |
| 76 | 1 | Charles Atkinson | ln -s /etc/systemd/system/nfdump@.service /etc/systemd/system/nfdump@edge1.service |
| 77 | 1 | Charles Atkinson | systemctl daemon-reload |
| 78 | 1 | Charles Atkinson | systemctl start nfdump@edge1.service |
| 79 | 1 | Charles Atkinson | systemctl enable nfdump@edge1.service |
| 80 | 1 | Charles Atkinson | </pre> |
| 81 | 1 | Charles Atkinson | |
| 82 | 1 | Charles Atkinson | h2. Logcheck |
| 83 | 1 | Charles Atkinson | |
| 84 | 1 | Charles Atkinson | <pre> |
| 85 | 1 | Charles Atkinson | cat /etc/logcheck/ignore.d.server/local-nfdump |
| 86 | 1 | Charles Atkinson | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ nfcapd\[[[:digit:]]+\]: Add extension: |
| 87 | 1 | Charles Atkinson | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ nfcapd\[[[:digit:]]+\]: Bound to IPv |
| 88 | 1 | Charles Atkinson | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ nfcapd\[[[:digit:]]+\]: Current size: .*, Current lifetime: .*, Number of files: [[:digit:]]+$ |
| 89 | 1 | Charles Atkinson | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ nfcapd\[[[:digit:]]+\]: Ident: .* Flows: [[:digit:]]+, Packets: [[:digit:]]+, Bytes: [[:digit:]]+, Sequence Errors: 0, Bad Packets: 0$ |
| 90 | 1 | Charles Atkinson | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ nfcapd\[[[:digit:]]+\]: Init IPFIX: Max number of IPFIX tags: [[:digit:]]+$ |
| 91 | 1 | Charles Atkinson | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ nfcapd\[[[:digit:]]+\]: Limits: Filesize .*, Lifetime .*, Watermark: [[:digit:]]+%$ |
| 92 | 1 | Charles Atkinson | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ nfcapd\[[[:digit:]]+\]: Process_v9: New exporter: SysID: [[:digit:]]+, Domain: [[:digit:]]+, IP: |
| 93 | 1 | Charles Atkinson | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ nfcapd\[[[:digit:]]+\]: Process_v9: \[[[:digit:]]+\] Add template [[:digit:]]+$ |
| 94 | 1 | Charles Atkinson | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ nfcapd\[[[:digit:]]+\]: Run expire on |
| 95 | 1 | Charles Atkinson | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ nfcapd\[[[:digit:]]+\]: Signal launcher$ |
| 96 | 1 | Charles Atkinson | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ nfcapd\[[[:digit:]]+\]: Startup\.$ |
| 97 | 1 | Charles Atkinson | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ nfcapd\[[[:digit:]]+\]: Terminating nfcapd\.$ |
| 98 | 1 | Charles Atkinson | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ nfcapd\[[[:digit:]]+\]: Total ignored packets: 0$ |
| 99 | 1 | Charles Atkinson | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ nfcapd\[[[:digit:]]+\]: expire completed - nothing to expire\.$ |
| 100 | 1 | Charles Atkinson | </pre> |