Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
NetFlow - No data to show
#1
Hello,

I am following the guide to setup and configure NetFlow found here: http://wiki.pandorafms.com/index.php?tit...en:Netflow

I have installed nfcapd on the PandoraFMS server, and it is running properly and saving data from my remote host running fprobe.

I am able to review the data using nfdump (nfdump -R /var/spool/pandora/data_in/netflow) and that is working properly, but I am unable to view any data within the NetFlow Live View in the Pandora FMS web interface. It simply displays the "No data to show" icon.

The /var/spool/pandora/data_in/netflow directory is in the www-data (apache2) group, so it should be accessible by the webserver on the box.

Not sure where to go from here. Any advice is appreciated.

Thanks.
 Reply
#2
Hi sdhardy,

Do you actually have something at this folder "/var/spool/pandora/data_in/netflow"?
And remember that you need to give the appropriate permissions to the folder! chmod 770 and pandora:apache!
Hope this helps Wink

Regards,
Emilio.
 Reply
#3
Hey,

Having the same issue, cannot get netflow to get displayed on pandora from neflow live nor from reports. It says no data or displays an empty graph. 

Installed nfcapd as per official guide

[[email protected] centos]# /usr/local/bin/nfcapd -V
/usr/local/bin/nfcapd: Version: 1.6.8p1 $Date: 2012-11-10 12:40:54 +0100 (Sat, 10 Nov 2012) $
[[email protected] centos]#


I receive netflow streams from devices just fine in the  /var/spool/pandora/data_in/netflow/ folder

I also set up the right permissions to:

[[email protected] centos]# ls -la /var/spool/pandora/data_in/netflow/
total 545804
drwxrws---. 2 pandora apache   12288 Aug 31 03:00 .
drwxrws---. 6 pandora apache      63 Aug 31 03:05 ..
-rwxrwx---  1 pandora apache     276 Aug 20 03:00 nfcapd.201708200200
-rwxrwx---  1 pandora apache     276 Aug 20 04:00 nfcapd.201708200300
-rwxrwx---  1 pandora apache     276 Aug 20 05:00 nfcapd.201708200400
-rwxrwx---  1 pandora apache     276 Aug 20 06:00 nfcapd.201708200500
-rwxrwx---  1 pandora apache     276 Aug 20 07:00 nfcapd.201708200600
-rwxrwx---  1 pandora apache     276 Aug 20 08:00 nfcapd.201708200700
-rwxrwx---  1 pandora apache     276 Aug 20 09:00 nfcapd.201708200800
-rwxrwx---  1 pandora apache     276 Aug 20 10:00 nfcapd.201708200900
-rwxrwx---  1 pandora apache     276 Aug 20 11:00 nfcapd.201708201000
-rwxrwx---  1 pandora apache     276 Aug 20 12:00 nfcapd.201708201100
-rwxrwx---  1 pandora apache     276 Aug 20 13:00 nfcapd.201708201200
-rwxrwx---  1 pandora apache     276 Aug 20 14:00 nfcapd.201708201300
-rwxrwx---  1 pandora apache     276 Aug 20 15:00 nfcapd.201708201400
-rwxrwx---  1 pandora apache     276 Aug 20 16:00 nfcapd.201708201500
-rwxrwx---  1 pandora apache     276 Aug 20 17:00 nfcapd.201708201600
-rwxrwx---  1 pandora apache     276 Aug 20 18:00 nfcapd.201708201700
-rwxrwx---  1 pandora apache     276 Aug 20 19:00 nfcapd.201708201800
-rwxrwx---  1 pandora apache     276 Aug 20 20:00 nfcapd.201708201900
-rwxrwx---  1 pandora apache     276 Aug 20 21:00 nfcapd.201708202000
-rwxrwx---  1 pandora apache     276 Aug 20 22:00 nfcapd.201708202100
-rwxrwx---  1 pandora apache     276 Aug 20 23:00 nfcapd.201708202200
-rwxrwx---  1 pandora apache     276 Aug 21 00:00 nfcapd.201708202300
-rwxrwx---  1 pandora apache     276 Aug 21 01:00 nfcapd.201708210000


and confirmed recursively that /var/spool/pandora has chmod 700 and chown pandora:apache.


Also confirmed that Netflow is enabled, that the daemon starts correctly when pandora_server is started and confirmed that: CONFIGURATION » NETFLOW is configured correctly, all paths are reachable and working.

Also did nfdump -R for /var/spool/pandora/data_in/netflow and I see netflow data no problems.

Could you please share how you fixed yours? Any ideas?

Thanks!!!

Regards,
 Reply
#4
Just noticed that when I execute command:
/usr/local/bin/nfdump -R nfcapd.201709010000

I get netflow data, but the timestamps are possibly wrong?

This is data from a netflow captured today:

017-08-10 03:24:43.711 0.000 TCP XXXXXX 0 0 1
2017-08-10 03:24:43.711 0.000 TCP XXXXXX 0 0 1
2017-08-10 03:24:43.711 0.000 TCP XXXXXX 0 0 1
2017-08-10 03:24:43.711 0.000 TCP XXXXXX 0 0 1
2017-08-10 03:24:43.509 0.000 TCP XXXXXX 0 0 1
2017-08-10 03:24:43.509 0.000 TCP XXXXXX 0 0 1
2017-08-10 03:24:43.509 0.000 TCP XXXXXX 0 0 1
2017-08-10 03:24:43.509 0.000 TCP XXXXXX 0 0 1


However, I set the net flow live viewer to provide all the data within the month of August, and still does not display anything.

So after decreasing the time windows in net-flow viewer, I can see that Pandora FMS is actually reading the NetFlow files, however not in an consistent manner since they are all marked with a wrong time-stamp that resembles a very narrow time window.

First flow file: 
276 Aug 20 03:00 nfcapd.201708200200

Netflow timestamp starting at: 2017-08-10 03:30:26.280

Last flow file:
1917112 Sep  1 02:00 nfcapd.201709010100

Netflow timestamp starting at: 2017-08-10 03:24:40.857

It seems that ncfcapd version 1.6.8p1 has a bug and it does not time-stamp incoming Net-Flow data correctly. Are there any other version of nfcapd or nfdump supported by Pandora FMS?

Thanks!
 Reply


Users browsing this thread: 1 Guest(s)


(c) 2006-2018 Artica Soluciones Tecnológicas. Contents of this wiki are under Create Common Attribution v3 licence. | pandorafms.com | pandorafms.org

Theme © MyBB Themes