Cisco Netflow with Nagios XI
| Cisco Netflow with Nagios XI |
| Server - Nagios |
|
Netflow with Cisco routers can be set up and integrated with Nagios for detailed information about traffic data on your routers and switches. Using nfdump and nfsen this data can be gathered and charted and then connected to the Nagios interface. This is an example of the integrating netflow into Nagios XI so that you have access to graphs using the netflow option for Cisco routers.
Configure the Router Many Cisco routers can do netflow. However often the older versions are only able to do netflow version 5 while the newer ones can do neflow version 9. This example shows you how to set up a older router.
config t #interface FastEthernet 0/1 #ip route-cache flow #exit
#ip flow-export destination 192.168.5.150 9995 #ip flow-export source FastEthernet 0/1 #ip flow-export version 5 #ip flow-cache timeout active 1 #ip flow-cache timeout inactive 15 #snmp-server ifindex persist #^Z
#write #show ip flow export #show ip cache flow
nfdump This example of an installation is on a CentOS box so some of the paths will be different with Ubuntu or Debian for example.
Install prerequisites. yum install -y rrdtool rrdtool-devel rrdtool-doc perl-rrdtool flex byacc tree
cd /tmp wget http://sourceforge.net/projects/nfdump/files/latest/download
tar zxvf nfdump-1.6.6.tar.gz cd nfdump-1.6.6 ./configure --prefix=/usr --sysconfdir=/etc --mandir=/usr/share/man --enable-nfprofile --enable-nftrack
make su root make install
useradd -r -s /sbin/nologin -d /var/cache/nfdump netflow mkdir -p /var/cache/nfdump chown netflow:netflow /var/cache/nfdump
vi /etc/sysconfig/nfcapd DAEMON_OPTIONS="-l /var/cache/nfdump -w -S 2 -z -u netflow -g netflow -j your_router_ip -p 9995"
Now use nfdump to see actual data that is being transferred. Note the command is used on a specific file located by year/month/date/hour.
nfdump -R nfcapd.201206030910 Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows 2002-03-01 04:07:44.287 0.000 UDP 192.168.5.99:68 -> 255.255.255.255:67 1 576 1 2002-03-01 04:07:44.435 0.000 UDP 192.168.5.222:67 -> 255.255.255.255:68 1 328 1 2002-03-01 04:08:14.395 0.000 UDP 192.168.5.99:34160 -> 192.168.5.228:161 1 103 1 2002-03-01 04:08:31.027 0.160 UDP 192.168.5.163:40678 -> 192.168.5.228:161 18 1361 1 2002-03-01 04:08:34.227 0.000 UDP 192.168.5.99:68 -> 255.255.255.255:67 1 576 1 ---cut--- 2002-03-01 04:36:57.403 0.020 UDP 192.168.5.99:34007 -> 192.168.5.228:161 4 356 1 2002-03-01 04:37:17.803 0.000 UDP 192.168.5.99:48525 -> 192.168.5.228:161 1 103 1 2002-03-01 04:37:27.895 0.000 UDP 192.168.5.99:43593 -> 192.168.5.228:161 1 103 1 Summary: total flows: 146, total bytes: 97624, total packets: 1375, avg bps: 0, avg pps: 0, avg bpp: 70 Time window: 2002-01-10 11:26:22 - 2012-06-03 09:30:00 Total flows processed: 146, Blocks skipped: 0, Bytes read: 7732 Sys: 0.003s flows/second: 36518.3 Wall: 0.003s flows/second: 44950.7
At this point you should have a router sending data to the Nagios server IP Address on the port you chose.
nfsen This application will integrate with nfdump and build charts for the data that you are collecting.
cd /tmp wget http://sourceforge.net/projects/nfsen/files/stable/nfsen-1.3.6/nfsen-1.3.6.tar.gz/download
tar zxvf nfsen-1.3.6.tar.gz
cd nfsen-1.3.6 cp etc/nfsen-dist.conf /etc/nfsen.conf
Now edit the /etc/nfsen.conf file to represent the paths and users for the distribution you are using.
$WWWUSER = "apache"; $WWWGROUP = "apache";
$HTMLDIR =$PREFIX = '/usr/bin'; "/var/www/html/nfsen/";
Add netflow to the apache group by editing /etc/group.
apache:x:48:netflow
You will need to install a perl module using the shell.
perl -MCPAN -e shell install Mail::Header
cd /tmp/nfsen-1.3.6 mkdir -p /data/nfsen ./install.pl /etc/nfsen.conf
When this installs correctly you will have a lot of files created in the /data/nfsen directory.
cd /data/nfsen/bin ./nfsen start
Watch the /var/log/messages for errors so you can correct the problem.
Point your browser to http://ip_address/nfsen/nfsen.php
Configuring nfsen The default set up for nfsen starts and initiates nfdump and then builds the data into a web interface with tabs across the top to see more detailed information or set up additional options. The default profile is live so that is what is reflected in the “Overview” on the “Home” tab.
The “Home” tab shows several rows of graphs listing flow, packets and bits over different time periods in each row. If you click on any graph it takes you into a detailed look of that graph. In this example the flows chart was clicked. This is the same information you see in the “Details” tab. Notice that the flows lists the type of traffic as TCP, UDP, ICMP or other and lists the volume of each.
The chart is based on the volume for one axis and the time as the other axis. The options at the bottom allow you to modify those settings. If you click on any of the smaller charts you will get a larger version of it for more detail.
Below those images on the same page is a “Statistics timeslot” for the specific date providing the data that was used for the charts.
At the bottom of the page is an interface that allows you to make modifications to see statistics based on source or any of about 25 options and then the information is returned in a text format. This will certainly allow you to drill down for better details.
The “Graphs” tab allows you to see each of the three graphs in larger scale by selecting one of the three tabs.
The “Alerts” tab allows you to set up alerts to email accounts when conditions are met. You have the option to specify a number of conditions.
The “Stats” tab allows you to modify colors, profiles, protocols, etc. to make the charting reflect your network needs.
Integrating With Nagios XI To integrate the netflow and nfsen with Nagios XI just install the Home Page Modification component and then set it up to access the location of nfsen.
|
