Difference between revisions of "Pandora: Documentation en: Netflow"

From Pandora FMS Wiki
Jump to: navigation, search
(Configuración distribuida)
(Updated with latest information from Mattermost. Pandora NTA.)
 
(71 intermediate revisions by 8 users not shown)
Line 1: Line 1:
 
[[Pandora:Documentation_en|Go back to Pandora FMS documentation index]]
 
[[Pandora:Documentation_en|Go back to Pandora FMS documentation index]]
  
= NetFlow =
 
  
== Introduction ==
+
= Introduction to real time network analysis =
  
The Pandora FMS versions 5 and above are designed to monitor the IP traffic by using the NetFlow protocol. This protocol allows to you review the traffic's most useful patterns and general data.<br>
+
Pandora FMS uses a tool to analyse the network in real time: '''Netflow'''. It uses the principle of "listening" over Ethernet in a continuous way and analyzes the traffic to generate statistics. The idea is to "intercept" the network traffic to send it to a probe that will analyse it and send those results to Pandora FMS.
  
'NetFlow' is a network protocol, developed by Cisco Systems to collect IP traffic information. It has become an industrial standard for network traffic monitoring and is currently supported by several platforms besides Cisco's IOS and NXOS like Juniper devices, Enterasys Switches and operating systems like Linux, FreeBSD, NetBSD and OpenBSD.
+
To intercept network traffic and be able to analyse it, it is necessary to have physical access to that network or at least understand its topology, since the network capture point must be the most appropriate. It is not the same, for example, to capture the network traffic of a local router or AP, as that of all the server network traffic just before reaching the outgoing router.
 +
 
 +
To capture such data, traffic must be redirected from one port of the switch to another port using a "port-mirror". Not all network devices allow this (only mid/high range). A port-mirror can also be made on some commercial firewalls. This is the easiest way to intercept traffic and requires no additional hardware. By sending all traffic to a port, that port is connected directly to the network analyzer (netflow probe).
 +
 
 +
These high-end switches and/or firewalls make monitoring easier. This is due to the fact that these devices send the network flow statistical information directly to Pandora FMS's Netflow collector without the need of using a separate probe. You should consult the characteristics of the hardware to know if you can enable Netflow and send the flows to an independent Netflow collector (in this case, the Pandora FMS Netflow collector).
 +
 
 +
= NetFlow network monitoring =
 +
 
 +
== Introduction to Netflow ==
 +
 
 +
Pandora FMS version 5 and above are designed to monitor IP traffic by using the NetFlow protocol. This protocol allows to review the traffic's most useful patterns and general data.<br>
 +
 
 +
'NetFlow' is a network protocol, developed by Cisco Systems to collect IP traffic information. It has become an industrial standard for network traffic monitoring and is currently supported by several platforms besides Cisco IOS and NXOS like Juniper devices, Enterasys Switches and operating systems like Linux, FreeBSD, NetBSD and OpenBSD.
  
 
<center>
 
<center>
Line 13: Line 24:
 
</center>
 
</center>
  
=== NetFlow ===
+
There is an article about Netflow on our blog, go check it out https://blog.pandorafms.org/what-is-netflow/
  
NetFlow-capable devices (NetFlow probes) are generating NetFlow records, which consist of small chunks of information which are sent to a central device or NetFlow Server (or NetFlow collector), which stores and processes that information.
+
=== NetFlow protocol ===
  
Data is transmitted using the NetFlow protocol via UDP or SCTP protocols. A NetFlow record is a small packet which only contains statistical information about a connection, not the whole raw data or the payload.
+
NetFlow-enabled devices generate "NetFlow records", which consist of small pieces of information which are sent to a central device (NetFlow server or collector), which receives device information (Netflow probes), stores and processes it.
  
There are several NetFlow implementations that may differ from the original specification and include additional information, but most of them provide at least the following:
+
Data is transmitted using the NetFlow protocol based on UDP or SCTP protocols. A NetFlow record is a small packet that contains only statistical information about a connection, not the whole raw data. That means it does not send the traffic payload that goes through the collector, only statistical data.
  
* The source's IP address.
+
There are several NetFlow implementations that may differ from the original specification and include additional information, but most of them provide at least the following information.
* The target's IP address.
+
Although Netflow has been described in many ways, Cisco's traditional definition is using a 7-element key, where the flow is defined as one-way sequence of packets that share the following 7 values:
* The source's UDP or TCP port.
+
 
* The target's UDP or TCP port.
+
* The source IP address.
 +
* The target IP address.
 +
* The source UDP or TCP port.
 +
* The target UDP or TCP port.
 
* The IP protocol.
 
* The IP protocol.
 
* An interface (SNMP ifIndex)
 
* An interface (SNMP ifIndex)
 
* The type of service.
 
* The type of service.
  
With time, some manufacturers have designed similar protocols with different names but for the same purpose:
+
In time, some manufacturers have designed similar protocols with different names but for the same purpose:
  
* 'Jflow' or 'cflowd' from Juniper Networks
+
* Juniper Networks Jflow or cflowd
* 'NetStream' from 3Com/H3C/HP
+
* 3Com/H3C/HP NetStream
* 'NetStream' from Huawei
+
* Huawei NetStream
* 'Cflowd' from Alcatel Lucent
+
* Alcatel Lucent Cflowd
* 'Rflow' from Ericsson
+
* Ericsson Rflow
* 'AppFlow'
+
* AppFlow
 +
* sFlow
  
Pandora FMS also supports sFlow( Industry standard for packet export ), which allows to Pandora FMS to analyse sniffered packets at Layer 2 of the OSI model. Moreover, because sFlow is an standard, many vendors use it on their devices.
 
  
=== The NetFlow Collector ===
+
=== NetFlow Collector ===
  
A NetFlow collector is a device (a PC or a Server), placed in a network to gather all the NetFlow information which is sent by routers and switches.
+
A NetFlow collector is a device (a PC or a Server), embedded in a network to gather all NetFlow information which is sent by routers and switches.
  
A NetFlow Server is required to receive and store that information. Pandora FMS uses 'nfcapd' for this purpose, and it's required to be installed '''before''' Pandora FMS is able to process any NetFlow-related data. Pandora FMS starts and stops this server automatically in the moment the need arises.
+
NetFlow generates and collects that information, but if needs a software that allows to store and analyze said traffic. Pandora FMS uses an specific server for this purpose, that will be started and shut down when Pandora FMS starts. That server's name is '''nfcapd''' and it is necessary to install it to be able to use Netflow monitoring.
  
=== The NetFlow Probe ===
+
=== NetFlow Probe ===
  
Probes are usually NetFlow-capable routers, configured to send NetFlow data to its collector - in our case, a Pandora FMS server with 'nfcapd' running.
+
Probes are usually NetFlow-enabled routers, configured to send information to NetFlow collector (in this case Pandora FMS server with 'nfcapd' daemon running).
  
 
<center>
 
<center>
Line 54: Line 68:
 
</center>
 
</center>
  
== Installation and Requirements ==
+
There is an step-by-step technical article in our blog about how to create a Netflow probe using a 60€ RaspBerry Pi hardware, take a look at https://blog.pandorafms.org/netflow-probe-using-raspberry/
  
Pandora FMS uses an open-source tool called 'nfcapd' to process all NetFlow traffic. This daemon is automatically started by the Pandora FMS Server. This system stores the data in binary files at a specific location. You're required to install 'nfcapd' on your system before working with NetFlow. 'nfcapd' listens on port 9995 UDP by default. Please keep in mind to open port 9995 UDP in case you have firewalls in place.
+
== Installation and requirements ==
  
=== Installation of 'nfcapd' ===
+
Pandora FMS uses an open-source tool called 'nfcapd' (that belongs to the nfdump package) to process all NetFlow traffic. This daemon is automatically started by the Pandora FMS Server. This system stores data in binary files at a specific location. Install 'nfcapd' on your system before working with NetFlow in Pandora FMs. 'nfcapd' listens on port 9995/UDP by default, so keep it in mind if you have firewalls to open this port and when configuring Netflow probes.
  
You're required to install 'nfcapd' manually, because Pandora FMS is not going to install it by default. For more information on how to install it, please visit the<br>[http://nfdump.sourceforge.net '''Official NFCAPD Project Page.''']
+
=== nfcapd installation ===
  
Pandora FMS uses the directory '/var/spool/pandora/data_in/netflow' by default to store all NetFlow data. The 'nfcapd' daemon is going to point to this directory when it's getting started by the Pandora FMS Server. Do '''not''' change it unless you know exactly what you're doing.
+
Install nfcapd manually, because Pandora FMS will not install it by default. For more information on how to install it, visit the<br>[http://nfdump.sourceforge.net '''Official NFCAPD Project Page.''']
  
Pandora FMS requires the nfdump version '''1.6.8p1''' in order to process any NetFlow data properly.
+
Pandora FMS uses the directory '/var/spool/pandora/data_in/netflow' by default to process information, so when it is started 'nfcapd' will use that directory. Do '''not''' modify it unless you know exactly what you are doing.
  
In order to test your 'nfcapd' installation manually, please execute the command below.
+
{{tip|Install nfdump '''version 1.6.8p1''' to use it with Pandora FMS}}
 +
 
 +
 
 +
In order to test whether 'nfcapd' is properly installed, execute this command to start the process.
 
   
 
   
 
  nfcapd -l /var/spool/pandora/data_in/netflow -D
 
  nfcapd -l /var/spool/pandora/data_in/netflow -D
  
Please keep in mind that the Pandora FMS Console (and more specifically the web server which hosts it) requires access to the directory of '/var/spool/pandora/data_in/netflow' in order to read any NetFlow-related data files.
+
If everything works, you should see an output similar to this one:
 +
 
 +
Add extension: 2 byte input/output interface index
 +
Add extension: 4 byte input/output interface index
 +
Add extension: 2 byte src/dst AS number
 +
Add extension: 4 byte src/dst AS number
 +
Add extension: 4 byte output bytes
 +
Add extension: 8 byte output bytes
 +
Add extension: NSEL Common block
 +
Add extension: NSEL xlate ports
 +
Add extension: NSEL xlate IPv4 addr
 +
Add extension: NSEL xlate IPv6 addr
 +
Add extension: NSEL ACL ingress/egress acl ID
 +
Add extension: NSEL username
 +
Add extension: NSEL max username
 +
Add extension: NEL Common block
 +
Bound to IPv4 host/IP: any, Port: 9995
 +
Startup.
 +
Init IPFIX: Max number of IPFIX tags: 62
 +
 
 +
{{warning|Keep in mind that Pandora FMS Console (and more specifically the web server that runs it) must have access to those data. In this example they are located at '/var/spool/pandora/data_in/netflow'.}}
  
=== The NetFlow Probe Installation ===
+
=== Probe Installation ===
  
If a NetFlow capable router is not available, but you use a Linux server to route your traffic, you may install a NetFlow software probe which sends all NetFlow-related information to its server.
+
If a NetFlow-enabled router is not available, but you use a Linux server to route your traffic, you may install a NetFlow software to work as a probe and sends all NetFlow-related information to the collector.
  
In Linux there is a program called 'fprobe' which obtains the traffic and sends it to a NetFlow Server.  
+
In Linux, there is a program called 'fprobe' which captures traffic and sends it to a NetFlow Server. You may generate Netflow traffic with it, among all the traffic that goes through its interfaces.
  
To download the rpm package you can use the following command and then install it:
+
To download the rpm package you may use the following command and then install it:
  
 
  wget http://repo.iotti.biz/CentOS/7/x86_64/fprobe-1.1-2.el7.lux.x86_64.rpm
 
  wget http://repo.iotti.biz/CentOS/7/x86_64/fprobe-1.1-2.el7.lux.x86_64.rpm
 
  yum install fprobe-1.1-2.el7.lux.x86_64.rpm
 
  yum install fprobe-1.1-2.el7.lux.x86_64.rpm
  
By this program you're able to generate NetFlow traffic which goes through its interfaces, e.g.:
+
For instance, executing this command, all eth0 interface traffic will be sent to the Netflow collector listening on port 9995 of the IP 192.168.70.185:
  
 
  /usr/sbin/fprobe -ieth0 -fip 192.168.70.185:9995
 
  /usr/sbin/fprobe -ieth0 -fip 192.168.70.185:9995
  
Once the traffic has been generated, you're able to review the traffic's statistics by entering the following command:
+
Once the traffic has been generated, you may its statistics in the Netflow collector by entering this command:
  
 
  nfdump -R /home/netflow_data/
 
  nfdump -R /home/netflow_data/
  
The above mentioned command displays information similar to the one shown below.
+
It should display similar information to the one shown below.
  
  
Line 126: Line 163:
 
  Sys: 0.006s flows/second: 208345.2  Wall: 0.006s flows/second: 221177.2   
 
  Sys: 0.006s flows/second: 208345.2  Wall: 0.006s flows/second: 221177.2   
  
 +
If your system works properly, the following step is configuring Pandora FMS in order to use this particular configuration.
  
If your system works properly, the following chapter is intended to configure Pandora FMS in order to use this particular configuration appropriately.
+
== Working with NetFlow under Pandora FMS ==
  
== Working with NetFlow under Pandora FMS ==
+
Pandora FMS works along with Netflow as an auxiliary system, that means it does not store NetFlow data in its database. Pandora FMS shows that information as reports on demand.
  
Pandora FMS doesn't store NetFlow data in its database. The information is processed on demand in order to render reports.
+
Pandora FMS works with NetFlow data by using filters, which are sets of rules that match certain traffic patterns. A rule can be as simple as 'all the traffic from 192.168.70.0/24 network' or a complex 'pcap' filter expression.
  
Pandora FMS works with NetFlow data by using filters, which are sets of rules that match certain traffic patterns. A rule can be as simple as 'all the traffic from the 192.168.70.0/24 subnet' or a complex 'pcap' filter expression.
+
Once filters are created, define reports that determine how the information matched by those filters will be displayed (e.g. charts and tables) and the time frame. When defining filters and reports, set that information so that it can be accessed on demand similar to Pandora FMS reports.
  
Once the filters are created, we're required to define reports that determine how the information matched by those filters is going to be displayed (e.g. charts and tables) and the time frame. The NetFlow reports can be accessed on demand like any other Pandora FMS reports.
+
Netflow reports appear as "report type" in Pandora FMS custom report section, to be able to add them to Pandora FMS "normal" reports
  
There is also a live NetFlow Viewer to analyze the traffic, modify and create rules on the spot. It can be very useful to investigate problems or temporarily display a chart that we don't intend to save for a later usage.
+
There is also a real-time console view to analyze the traffic, creating rules on the spot. It can be very useful to investigate problems or temporarily display charts that do not match a specific filter.
  
 
=== Configuration ===
 
=== Configuration ===
  
First of all, you're required to authorize NetFlow in order to become accessible from the 'Operation' and 'Administration' menus.
+
First of all, enable NetFlow in order for it to become accessible from the 'Operation' and 'Administration' menus. In the Configuration section (management menu) there is an option for enabling or disabling Netflow globally.  
  
 
<center>
 
<center>
[[Image:netflow_manager0.png|900px]]
+
[[Image:Netflow1.png]]
 
</center>
 
</center>
  
You can find the NetFlow option in the 'Configuration' chapter of the 'Administration' menu in which we specify the path in which the files of the Netflow traffic are captured, e.g. '/tmp/netflow'. It's also very important to determine whether the path to the 'nfcapd' daemon is appropriately specified or not.
+
Once activated, a new Netflow configuration option will appear in the setup section.
  
 
<center>
 
<center>
[[Image:netflow_manager.png|700px]]
+
[[Image:Netflow2.png]]
 
</center>
 
</center>
  
The configurable fields pertaining to this particular feature are the following:
+
This section must be correctly configured so that the nfcapd daemon may be started together with the Pandora FMS server:
  
  
'''Data Storage Path:'''<br>
+
'''Data storage path:'''<br>
The directory in which the NetFlow data files are stored. '''IMPORTANT:''' The disk's access speed on which the NetFlow data is stored is usually the limiting performance factor.
+
The directory where NetFlow data files are stored.
  
'''Daemon Interval:'''<br>
+
'''Daemon interval:'''<br>
The time interval in seconds for the data rotation. The recommended value is '3600'. A bigger interval means potentially bigger files, which means less I/O overhead, but it also renders accessing the data for a specific time interval slower.
+
Time interval in seconds for data rotation. The recommended value is '3600'. A wider interval means potentially bigger files, which means less I/O overhead, but it also renders accessing data for a specific time interval slower.
  
'''Daemon Binary Path:'''<br>
+
'''Daemon binary path:'''<br>
 
The path to the 'nfcapd' binary.
 
The path to the 'nfcapd' binary.
  
'''Nfdump Binary Path:'''<br>
+
'''Nfdump binary path:'''<br>
 
The path to the 'nfdump' binary.
 
The path to the 'nfdump' binary.
  
'''Nfexpire Binary Path:'''<br>
+
'''Nfexpire binary path:'''<br>
The path to the 'nfexpire' binary. This program was designed to delete old NetFlow data.
+
The path to the 'nfexpire' binary.
 +
 
 +
'''Maximum chart resolution:'''<br>
 +
The maximum number of points displayed by a NetFlow area chart. The higher the resolution, the lower the performance. Values between '50' and '100' are recommended here.
 +
 
 +
'''Disable custom live view filters:'''<br>
 +
Disables defining custom filters from Netflow view (only for previously created filters).
  
'''Maximum Chart Resolution:'''<br>
+
'''Netflow max. lifespan:'''<br>
The maximum number of points which a NetFlow Area Chart is going to display. The higher the resolution the lower the performance. Values between '50' and '100' are recommended here.
+
Maximum number of days Netflow data will be stored before being deleted.
  
'''Disable Live View Custom Filters:'''<br>
+
'''Enable IP address name resolution:'''<br>
If enabled, only Netflow filters previously created by an administrator can be used in the Netflow live view.
+
Aloows IP resolution to try to retrieve the hostnames form Netflow devices.
  
'''Netflow max. Lifetime:'''<br>
+
{{warning|Hard drive access speed where Netflow data are stored is usually the key factor for performance limits.}}
The NetFlow data which are older than the specified number of days are going to be deleted.
 
  
Once the NetFlow configuration is enabled, the Pandora FMS Server is required to be restarted in order to be able to start the 'nfcapd' server. This server must be properly installed and accessible from the system path. Please check the server logs if you're unsure on that. This server is '''not''' going to appear in the Pandora FMS server view mode, because it isn't considered a Pandora FMS Server.
+
Once NetFlow is configured in the console, restart Pandora FMS Server so that it starts the 'nfcapd' server. This server must be properly installed before trying to run it. Check server logs in case of doubt.
 +
{{tip|The Netflow server will not appear in Pandora FMS server view mode, since it is not considered a Pandora FMS Server.}}
  
 
== Filters ==
 
== Filters ==
  
You may access the creation and edition of filters by clicking on 'Administration' and 'NetFlow Filters'. This section contains a list of already created filters which can be of course altered or deleted.
+
You may access the creation and edition of filters by clicking on Ressources > NetFlow Filters. This section contains a list of already created filters which can be modified or deleted.
 +
 
 +
<br>
 +
<center>
 +
[[Image:Netflow3.png]]
 +
</center>
 +
<br>
 +
<br>
 +
 
 +
You may also create a filter directly from the "Netflow live view", saving the active filter as a new one. Netflow filters can be "basic" or "advanced". The difference is that the former have fixed filtering fields (source IP, target IP, source port, target port) and the advanced ones are defined by the expression ''pcap'' (standard in filtering expressions for network traffic) and use all kinds of tools.
 +
 
 +
=== Filter creation ===
 +
 
 +
This would be a basic editing view of a Netflow filter:
 +
<br>
 +
<br>
 +
<center>
 +
[[Image:Netflow4.png]]
 +
</center>
 +
<br>
 +
<br>
  
The configurable NetFlow filters pertaining to this particular feature are the following:
 
  
* '''Name:''' It's recommended for the filter's name to be as descriptive and clear as necessary.
+
* '''Name:''' It is recommended for the filter's name to be quite descriptive.
* '''Group:''' A user is only able to create a filter or edit the group's filters it has access to.
+
* '''Group:''' A user can only create a filter or edit the filter of a group it has access to.
* '''Filter:''' There are two types of filters: Basic and advanced. Advanced filters allow the usage of advanced expressions in the same format as 'nfdump'. Basic filters can filter traffic by source and destination IP and source or destination port. Lists of comma-separated IPs or ports are also accepted here.
+
* '''Filter:''' There are two types of filters: Basic and advanced. Advanced filters allow using advanced expressions in the same format as 'nfdump'. Basic filters can filter traffic by source and target IP and source or target port. Lists of comma-separated IPs or ports are also accepted here.
  
* '''Aggregate by:''' All traffic data can be grouped by one of the following fields:
+
* '''Aggregate by:''' All traffic data can be grouped by one of the following criteria:
 
<blockquote>
 
<blockquote>
'''IP Origin:''' It displays the traffic of different origin for each IP.<br>
+
'''Source IP:''' It displays the traffic of each IP from a different source.<br>
'''IP Destination:''' It displays the traffic of different destinations for each IP.<br>
+
'''Target IP:''' It displays the traffic of each IP with a different target.<br>
'''Origin Port:''' It displays the traffic for each port of different origins.<br>
+
'''Source port:''' It displays the traffic of each port from a different source.<br>
'''Destiny Port:''' It displays the traffic for different destinations for each port.<br>
+
'''Target port:''' It displays the traffic of each port with a  different target.<br>
'''Protocol:''' It displays the traffic for each protocol.<br>
 
'''Any:''' The total data is going to be displayed by this one.
 
</blockquote>
 
'''Output Format:''' The data is going to be displayed in the selected unit:<br>
 
<blockquote>
 
Kilobytes.<br>
 
Kilobytes per second.<br>
 
Megabytes.<br>
 
Megabytes per second.<br>
 
 
</blockquote>
 
</blockquote>
 +
 +
==== Examples ====
  
 
Basic web traffic filter example:
 
Basic web traffic filter example:
  
 +
<br>
 +
<br>
 
<center>
 
<center>
[[Image:Netflow_filter_normal.png|800px]]
+
[[Image:Netflow5.png]]
 
</center>
 
</center>
 +
<br>
 +
<br>
  
 
Advanced intranet traffic filter example:
 
Advanced intranet traffic filter example:
  
 +
 +
<br>
 +
<br>
 
<center>
 
<center>
[[Image:Netflow_filter_advanced.png|800px]]
+
[[Image:Netflow6.png]]
 
</center>
 
</center>
 +
<br>
 +
<br>
  
 
Here are other examples of advanced filters:
 
Here are other examples of advanced filters:
Line 243: Line 308:
  
 
<center>
 
<center>
[[Image:Netflow_report_item_types.png|900px]]
+
[[Image:Netflow7.png]]
 
</center>
 
</center>
  
Line 249: Line 314:
  
 
<center>
 
<center>
[[Image:Netflow_report_item_configuration.png|900px]]
+
[[Image:Netflow8.png]]
 
</center>
 
</center>
  
Line 256: Line 321:
 
*'''Description''': Item description.
 
*'''Description''': Item description.
 
*'''Period''': Length of the interval of data to display.
 
*'''Period''': Length of the interval of data to display.
*'''Resolution''': Data will be retrieved in blocks of size equal to the resolution. If Period / Resolution is bigger than the configure maximum chart resolution the resolution will be dynamically readjusted. For example, for a period of 1 day and a resolution of 1 hour 24 points will be drawn in the chart.
+
*'''Resolution''': Some reports require samples to be collected every certain period. This parameter is used to define the number of samples. The resolution may be low (6 samples), medium (12 samples), high (24 samples) or ultra-high (30 samples). There are two special values (''hourly'' and ''daily'') so that a fixed value of samples is not collected but one every certain period.
 
*'''Max. values''': Maximum number of elements for aggregates. For example, if a chart of HTTP traffic is drawn aggregated by source IP address and Max. values is set to 5, only 5 IP addresses will be shown.
 
*'''Max. values''': Maximum number of elements for aggregates. For example, if a chart of HTTP traffic is drawn aggregated by source IP address and Max. values is set to 5, only 5 IP addresses will be shown.
  
There are five types of netflow report items:
+
There are three types of netflow report items:
  
 
* '''Area chart''': An area chart, either aggregated or unaggregated.
 
* '''Area chart''': An area chart, either aggregated or unaggregated.
Line 267: Line 332:
 
</center>
 
</center>
  
* '''Pie chart''': An aggregated pie chart.
+
* '''Data table''': A text representation of the area chart.
  
 
<center>
 
<center>
[[Image:Netflow_chart_pie.png|300px]]
+
[[Image:Netflow_table_data.png]]
 
</center>
 
</center>
  
* '''Data table''': A text representation of the area chart.
+
* '''Netflow summary chart''': Summary of traffic for the given period. There are three elements: a table with global information, a pie chart with the most relevant IPs or ports and a table with the same information as the broken down pie chart.
  
 
<center>
 
<center>
[[Image:Netflow_table_data.png|600px]]
+
[[Image:Netflow9.png]]
 
</center>
 
</center>
  
* '''Statistics table''': A text representation of the pie chart.
+
== Netflow live view ==
 +
 
 +
This view is used to check captured data history based on different search filters. You may use filters and different ways of information display. It is necessary to define the way to group the displayed information, as well as the way to obtain this information in order to start viewing data.
  
 
<center>
 
<center>
[[Image:Netflow_table_statistics.png]]
+
[[Image:netflow_view1.png|750px]]
 
</center>
 
</center>
  
* '''Summary table''': Traffic summary for the given period.
+
The way to get the information can be by: Source IP, target IP, source port or target port. If you choose, for example, to show the target IP information, the information ordered by the IP traffic to the target will be shown. The same would apply to finding out network consumption by protocol, choosing by destination port.
 +
 
 +
The possible display options are the following:
 +
 
 +
* '''Area graphs''' (''stacked''): show over time (from source date to target date) data evolution. The precision level of the graph in the "Resolution" token must be chosen.
  
 
<center>
 
<center>
[[Image:Netflow_summary.png]]
+
[[File: Netflow grafico area.png|600px]]
 
</center>
 
</center>
  
== Netflow live view ==
+
* '''Summary''': It displays a summary table, a pie chart and a table with data for the entire period.
  
Filters can be visualized live from "Operation / Netflow Live View". This tool allows you to preview changes made to a filter and save it when the desired result is achieved. It is also possible to load and modify already existing filters.
+
<center>
 +
[[File: Netflow grafico sumario.png|600px]]
 +
</center>
  
See [[Pandora:Documentation_en:Netflow#Reports|Reports]] and [[Pandora:Documentation_en:Netflow#Filters|Filters]] to learn how to configure live view options.
+
* '''Detailed''': It shows a map of portions that represents IP traffic.
  
 
<center>
 
<center>
[[Image:Netflow_live_view.png|600px]]
+
[[File: Netflow grafico detailed.png.png|600px]]
 
</center>
 
</center>
  
To modify an existing filter load if from the Load filter selector, make the desired changes and click on ''Update current filter''.
+
* '''Data table''': It displays a data table with each IP and a number of rows that depends on the chosen resolution.
  
 
<center>
 
<center>
[[Image:Netflow_update_filter.png|600px]]
+
[[File: Netflow datatable.png|600px]]
 
</center>
 
</center>
  
To create a new filter, configure it, click on ''Save as new filter'', enter a name and optionally select a group and click on ''Save as new filter'' again.
+
* '''Circle graph''': It displays an interactive pie chart representing connection pairs between IP and traffic volume.
  
 
<center>
 
<center>
[[Image:Netflow_save_filter.png|600px]]
+
[[File: Netflow bola.png|600px]]
 
</center>
 
</center>
  
==Configuración distribuida==
+
Filters can be viewed in real time from "Operation > Netflow Live View". This tool allows you to see the changes that are made to a filter and save it once the desired result is obtained. It is also possible to load and modify existing filters.
 +
 
 +
See [[Pandora:Documentation_en:Netflow#Reports|Reports]] and [[Pandora:Documentation_en:Netflow#Filters|Filters]] to learn how to configure live view options.
 +
 
 +
== Network traffic maps ==
 +
 
 +
This is a new feature added in OUM 733 and will be improved in the future. It creates dynamic network maps, based on the traffic between nodes. It shows the relationship (connections) between different addresses, showing the top N connections (by size of data transferred between them).
 +
 
 +
<center>
 +
[[File: Network Usage map.jpg|700px]]
 +
</center>
  
{{WIP}}
+
==Distributed configuration==
  
Es posible ubicar el nodo de pandora que recoge datos de Netflow en un host independiente de la consola. En entornos con muchos datos Netflow de hecho es más que recomendable ubicarlo en un servidor con discos rápidos y una CPU rápida de al menos dos núcleos. Para que la consola de Pandora pueda extraer datos de Netflow será necesario modificar la configuración por defecto del sistema, siguiendo los pasos descritos a continuación:
+
It is possible to locate the Pandora FMS node that collects Netflow data on a host independent from the console. In environments with a lot of Netflow data it is more than recommended to place it on a server with fast disks and a fast CPU of at least two cores. In order for Pandora FMs console to retrieve Netflow data, it will be necessary to modify the default system configuration, following the steps described below:
  
* '''Configurar la autenticación automática SSH entre el usuario propietario del demonio web y el usuario con capacidad de ejecutar nfdump en el nodo colector.'''
+
* '''Configure automatic SSH authentication between the user who owns the web daemon and the user with the ability to run nfdump on the collector node.'''
  
Para su configuración debemos seguir los siguientes pasos:
+
For its configuration, follow these steps:
  
Habilitar el usuario apache. Para ello hay que modificar en el fichero /etc/passwd la linea del usuario apache con esta configuración:
+
Enable the apache user login. In order to do this, modify the line of the apache user in the file /etc/passwd with this configuration :
  
 
  apache:x:48:48:Apache:/var/www:/bin/bash
 
  apache:x:48:48:Apache:/var/www:/bin/bash
  
Crear el directorio .ssh dentro del directorio /var/www y darle los permisos correctos:
+
Create the .ssh directory inside the /var/www directory and give it the correct permissions:
  
 
  #mkdir /var/www/.ssh
 
  #mkdir /var/www/.ssh
 
  #chown apache:apache /var/www/.ssh
 
  #chown apache:apache /var/www/.ssh
  
Crear claves ssh desde el usuario apache y copiarlas al servidor donde esté alojado el tráfico netflow.
+
Create ssh keys from the apache user and copy them to the server where the Netflow traffic is hosted.
  
 
  #su apache
 
  #su apache
Line 358: Line 441:
 
  bash-4.2$ ssh-copy-id [email protected]<netflow_server>
 
  bash-4.2$ ssh-copy-id [email protected]<netflow_server>
  
Una vez compartida comprueba que es posible acceder al servidor mediante el usuario apache sin indicar contraseña:
+
Once shared, it must be verified that it is possible to access the server through the apache user without entering a password:
  
 
  bash-4.2$ ssh [email protected]<netflow_server>
 
  bash-4.2$ ssh [email protected]<netflow_server>
  
* '''Crear un script en la consola de pandora que reemplace a /usr/bin/nfdump por uno similar al siguiente'''
+
* '''Create a script in Pandora FMS console that replaces /usr/bin/nfdump with one similar to the following'''
  
 
<pre>
 
<pre>
Line 371: Line 454:
 
</pre>
 
</pre>
  
De permisos de ejecución al script:
+
Give the script execution permissions:
  
 
<pre>
 
<pre>
Line 377: Line 460:
 
</pre>
 
</pre>
  
Pruebe a ejecutar el script, de esta forma
+
Try executing the script like this:
  
 
  /usr/bin/nfdump -V
 
  /usr/bin/nfdump -V
  
Debería devolver algo similar a:
+
It should return something similar to:
  
 
  nfdump: Version: 1.6.13
 
  nfdump: Version: 1.6.13

Latest revision as of 12:05, 14 January 2021

Go back to Pandora FMS documentation index


1 Introduction to real time network analysis

Pandora FMS uses a tool to analyse the network in real time: Netflow. It uses the principle of "listening" over Ethernet in a continuous way and analyzes the traffic to generate statistics. The idea is to "intercept" the network traffic to send it to a probe that will analyse it and send those results to Pandora FMS.

To intercept network traffic and be able to analyse it, it is necessary to have physical access to that network or at least understand its topology, since the network capture point must be the most appropriate. It is not the same, for example, to capture the network traffic of a local router or AP, as that of all the server network traffic just before reaching the outgoing router.

To capture such data, traffic must be redirected from one port of the switch to another port using a "port-mirror". Not all network devices allow this (only mid/high range). A port-mirror can also be made on some commercial firewalls. This is the easiest way to intercept traffic and requires no additional hardware. By sending all traffic to a port, that port is connected directly to the network analyzer (netflow probe).

These high-end switches and/or firewalls make monitoring easier. This is due to the fact that these devices send the network flow statistical information directly to Pandora FMS's Netflow collector without the need of using a separate probe. You should consult the characteristics of the hardware to know if you can enable Netflow and send the flows to an independent Netflow collector (in this case, the Pandora FMS Netflow collector).

2 NetFlow network monitoring

2.1 Introduction to Netflow

Pandora FMS version 5 and above are designed to monitor IP traffic by using the NetFlow protocol. This protocol allows to review the traffic's most useful patterns and general data.

'NetFlow' is a network protocol, developed by Cisco Systems to collect IP traffic information. It has become an industrial standard for network traffic monitoring and is currently supported by several platforms besides Cisco IOS and NXOS like Juniper devices, Enterasys Switches and operating systems like Linux, FreeBSD, NetBSD and OpenBSD.

Netflow architecture.png

There is an article about Netflow on our blog, go check it out https://blog.pandorafms.org/what-is-netflow/

2.1.1 NetFlow protocol

NetFlow-enabled devices generate "NetFlow records", which consist of small pieces of information which are sent to a central device (NetFlow server or collector), which receives device information (Netflow probes), stores and processes it.

Data is transmitted using the NetFlow protocol based on UDP or SCTP protocols. A NetFlow record is a small packet that contains only statistical information about a connection, not the whole raw data. That means it does not send the traffic payload that goes through the collector, only statistical data.

There are several NetFlow implementations that may differ from the original specification and include additional information, but most of them provide at least the following information. Although Netflow has been described in many ways, Cisco's traditional definition is using a 7-element key, where the flow is defined as one-way sequence of packets that share the following 7 values:

  • The source IP address.
  • The target IP address.
  • The source UDP or TCP port.
  • The target UDP or TCP port.
  • The IP protocol.
  • An interface (SNMP ifIndex)
  • The type of service.

In time, some manufacturers have designed similar protocols with different names but for the same purpose:

  • Juniper Networks Jflow or cflowd
  • 3Com/H3C/HP NetStream
  • Huawei NetStream
  • Alcatel Lucent Cflowd
  • Ericsson Rflow
  • AppFlow
  • sFlow


2.1.2 NetFlow Collector

A NetFlow collector is a device (a PC or a Server), embedded in a network to gather all NetFlow information which is sent by routers and switches.

NetFlow generates and collects that information, but if needs a software that allows to store and analyze said traffic. Pandora FMS uses an specific server for this purpose, that will be started and shut down when Pandora FMS starts. That server's name is nfcapd and it is necessary to install it to be able to use Netflow monitoring.

2.1.3 NetFlow Probe

Probes are usually NetFlow-enabled routers, configured to send information to NetFlow collector (in this case Pandora FMS server with 'nfcapd' daemon running).

NewNetFlowApproach.png

There is an step-by-step technical article in our blog about how to create a Netflow probe using a 60€ RaspBerry Pi hardware, take a look at https://blog.pandorafms.org/netflow-probe-using-raspberry/

2.2 Installation and requirements

Pandora FMS uses an open-source tool called 'nfcapd' (that belongs to the nfdump package) to process all NetFlow traffic. This daemon is automatically started by the Pandora FMS Server. This system stores data in binary files at a specific location. Install 'nfcapd' on your system before working with NetFlow in Pandora FMs. 'nfcapd' listens on port 9995/UDP by default, so keep it in mind if you have firewalls to open this port and when configuring Netflow probes.

2.2.1 nfcapd installation

Install nfcapd manually, because Pandora FMS will not install it by default. For more information on how to install it, visit the
Official NFCAPD Project Page.

Pandora FMS uses the directory '/var/spool/pandora/data_in/netflow' by default to process information, so when it is started 'nfcapd' will use that directory. Do not modify it unless you know exactly what you are doing.

Info.png

Install nfdump version 1.6.8p1 to use it with Pandora FMS

 



In order to test whether 'nfcapd' is properly installed, execute this command to start the process.

nfcapd -l /var/spool/pandora/data_in/netflow -D

If everything works, you should see an output similar to this one:

Add extension: 2 byte input/output interface index
Add extension: 4 byte input/output interface index
Add extension: 2 byte src/dst AS number
Add extension: 4 byte src/dst AS number
Add extension: 4 byte output bytes
Add extension: 8 byte output bytes
Add extension: NSEL Common block
Add extension: NSEL xlate ports
Add extension: NSEL xlate IPv4 addr
Add extension: NSEL xlate IPv6 addr
Add extension: NSEL ACL ingress/egress acl ID
Add extension: NSEL username
Add extension: NSEL max username
Add extension: NEL Common block
Bound to IPv4 host/IP: any, Port: 9995
Startup.
Init IPFIX: Max number of IPFIX tags: 62

Template warning.png

Keep in mind that Pandora FMS Console (and more specifically the web server that runs it) must have access to those data. In this example they are located at '/var/spool/pandora/data_in/netflow'.

 


2.2.2 Probe Installation

If a NetFlow-enabled router is not available, but you use a Linux server to route your traffic, you may install a NetFlow software to work as a probe and sends all NetFlow-related information to the collector.

In Linux, there is a program called 'fprobe' which captures traffic and sends it to a NetFlow Server. You may generate Netflow traffic with it, among all the traffic that goes through its interfaces.

To download the rpm package you may use the following command and then install it:

wget http://repo.iotti.biz/CentOS/7/x86_64/fprobe-1.1-2.el7.lux.x86_64.rpm
yum install fprobe-1.1-2.el7.lux.x86_64.rpm

For instance, executing this command, all eth0 interface traffic will be sent to the Netflow collector listening on port 9995 of the IP 192.168.70.185:

/usr/sbin/fprobe -ieth0 -fip 192.168.70.185:9995

Once the traffic has been generated, you may its statistics in the Netflow collector by entering this command:

nfdump -R /home/netflow_data/

It should display similar information to the one shown below.


Aggregated flows 1286
Top 10 flows ordered by packets:
Date flow start          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Packets    Bytes Flows
2011-12-22 20:41:35.697   901.035 TCP     192.168.60.181:50935 ->     192.168.50.2:22        2105   167388     4
2011-12-22 20:41:35.702   900.874 TCP       192.168.50.2:22    ->   192.168.60.181:50935     1275   202984     4
2011-12-22 20:48:15.057     1.347 TCP       157.88.36.34:80    ->    192.168.50.15:40044      496   737160     1
2011-12-22 20:48:14.742     1.790 TCP     91.121.124.139:80    ->    192.168.50.15:60101      409   607356     1
2011-12-22 20:46:02.791    76.616 TCP      192.168.50.15:80    ->   192.168.60.181:40500      370   477945     1
2011-12-22 20:48:15.015     1.389 TCP      192.168.50.15:40044 ->     157.88.36.34:80         363    22496     1
2011-12-22 20:46:02.791    76.616 TCP     192.168.60.181:40500 ->    192.168.50.15:80         303    24309     1
2011-12-22 20:48:14.689     1.843 TCP      192.168.50.15:60101 ->   91.121.124.139:80         255    13083     1
2011-12-22 20:48:14.665     1.249 TCP     178.32.239.141:80    ->    192.168.50.15:38476      227   335812     1
2011-12-22 20:48:21.350     0.713 TCP     137.205.124.72:80    ->    192.168.50.15:47551      224   330191     1  

Top 10 flows ordered by bytes:
Date flow start          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Packets    Bytes Flows
2011-12-22 20:48:15.057     1.347 TCP       157.88.36.34:80    ->    192.168.50.15:40044      496   737160     1
2011-12-22 20:48:14.742     1.790 TCP     91.121.124.139:80    ->    192.168.50.15:60101      409   607356     1
2011-12-22 20:46:02.791    76.616 TCP      192.168.50.15:80    ->   192.168.60.181:40500      370   477945     1
2011-12-22 20:48:14.665     1.249 TCP     178.32.239.141:80    ->    192.168.50.15:38476      227   335812     1
2011-12-22 20:48:21.350     0.713 TCP     137.205.124.72:80    ->    192.168.50.15:47551      224   330191     1
2011-12-22 20:48:15.313     1.603 TCP       89.102.0.150:80    ->    192.168.50.15:52019      212   313432     1
2011-12-22 20:48:14.996     1.433 TCP     212.219.56.138:80    ->    192.168.50.15:36940      191   281104     1
2011-12-22 20:51:12.325    46.928 TCP      192.168.50.15:80    ->   192.168.60.181:40512      201   245118     1
2011-12-22 20:52:05.935    34.781 TCP      192.168.50.15:80    ->   192.168.60.181:40524      167   211608     1
2011-12-22 20:41:35.702   900.874 TCP       192.168.50.2:22    ->   192.168.60.181:50935     1275   202984     4 

Summary: total flows: 1458, total bytes: 5.9 M, total packets: 15421, avg bps: 49574, avg pps: 15, avg bpp: 399
Time window: 2011-12-22 20:40:46 - 2011-12-22 20:57:21
Total flows processed: 1458, Records skipped: 0, Bytes read: 75864
Sys: 0.006s flows/second: 208345.2   Wall: 0.006s flows/second: 221177.2  

If your system works properly, the following step is configuring Pandora FMS in order to use this particular configuration.

2.3 Working with NetFlow under Pandora FMS

Pandora FMS works along with Netflow as an auxiliary system, that means it does not store NetFlow data in its database. Pandora FMS shows that information as reports on demand.

Pandora FMS works with NetFlow data by using filters, which are sets of rules that match certain traffic patterns. A rule can be as simple as 'all the traffic from 192.168.70.0/24 network' or a complex 'pcap' filter expression.

Once filters are created, define reports that determine how the information matched by those filters will be displayed (e.g. charts and tables) and the time frame. When defining filters and reports, set that information so that it can be accessed on demand similar to Pandora FMS reports.

Netflow reports appear as "report type" in Pandora FMS custom report section, to be able to add them to Pandora FMS "normal" reports

There is also a real-time console view to analyze the traffic, creating rules on the spot. It can be very useful to investigate problems or temporarily display charts that do not match a specific filter.

2.3.1 Configuration

First of all, enable NetFlow in order for it to become accessible from the 'Operation' and 'Administration' menus. In the Configuration section (management menu) there is an option for enabling or disabling Netflow globally.

Netflow1.png

Once activated, a new Netflow configuration option will appear in the setup section.

Netflow2.png

This section must be correctly configured so that the nfcapd daemon may be started together with the Pandora FMS server:


Data storage path:
The directory where NetFlow data files are stored.

Daemon interval:
Time interval in seconds for data rotation. The recommended value is '3600'. A wider interval means potentially bigger files, which means less I/O overhead, but it also renders accessing data for a specific time interval slower.

Daemon binary path:
The path to the 'nfcapd' binary.

Nfdump binary path:
The path to the 'nfdump' binary.

Nfexpire binary path:
The path to the 'nfexpire' binary.

Maximum chart resolution:
The maximum number of points displayed by a NetFlow area chart. The higher the resolution, the lower the performance. Values between '50' and '100' are recommended here.

Disable custom live view filters:
Disables defining custom filters from Netflow view (only for previously created filters).

Netflow max. lifespan:
Maximum number of days Netflow data will be stored before being deleted.

Enable IP address name resolution:
Aloows IP resolution to try to retrieve the hostnames form Netflow devices.

Template warning.png

Hard drive access speed where Netflow data are stored is usually the key factor for performance limits.

 


Once NetFlow is configured in the console, restart Pandora FMS Server so that it starts the 'nfcapd' server. This server must be properly installed before trying to run it. Check server logs in case of doubt.

Info.png

The Netflow server will not appear in Pandora FMS server view mode, since it is not considered a Pandora FMS Server.

 


2.4 Filters

You may access the creation and edition of filters by clicking on Ressources > NetFlow Filters. This section contains a list of already created filters which can be modified or deleted.


Netflow3.png



You may also create a filter directly from the "Netflow live view", saving the active filter as a new one. Netflow filters can be "basic" or "advanced". The difference is that the former have fixed filtering fields (source IP, target IP, source port, target port) and the advanced ones are defined by the expression pcap (standard in filtering expressions for network traffic) and use all kinds of tools.

2.4.1 Filter creation

This would be a basic editing view of a Netflow filter:

Netflow4.png




  • Name: It is recommended for the filter's name to be quite descriptive.
  • Group: A user can only create a filter or edit the filter of a group it has access to.
  • Filter: There are two types of filters: Basic and advanced. Advanced filters allow using advanced expressions in the same format as 'nfdump'. Basic filters can filter traffic by source and target IP and source or target port. Lists of comma-separated IPs or ports are also accepted here.
  • Aggregate by: All traffic data can be grouped by one of the following criteria:

Source IP: It displays the traffic of each IP from a different source.
Target IP: It displays the traffic of each IP with a different target.
Source port: It displays the traffic of each port from a different source.
Target port: It displays the traffic of each port with a different target.

2.4.1.1 Examples

Basic web traffic filter example:



Netflow5.png



Advanced intranet traffic filter example:




Netflow6.png



Here are other examples of advanced filters:

  • Capture traffic to or from 192.168.0.1:
host 192.168.0.1
  • Capture traffic to 192.168.0.1:
dst host 192.168.0.1
  • Capture traffic from 192.168.0.0/24:
src net 192.168.0.0/24
  • Capture HTTP and HTTPS traffic:
(port 80) or (port 443)
  • Capture all traffic except DNS:
port not 53
  • Capture SSH traffic to 192.168.0.1:
(port 22) and (dst host 192.168.0.1)

2.5 Reports

Netflow reports are integrated with Pandora FMS reports (see Reports for more information).

To create a report item, choose one of the available netflow report items.

Netflow7.png

And configure it. The following options are available:

Netflow8.png

  • Type: Item types will be explained below.
  • Filter: Netflow filter to use.
  • Description: Item description.
  • Period: Length of the interval of data to display.
  • Resolution: Some reports require samples to be collected every certain period. This parameter is used to define the number of samples. The resolution may be low (6 samples), medium (12 samples), high (24 samples) or ultra-high (30 samples). There are two special values (hourly and daily) so that a fixed value of samples is not collected but one every certain period.
  • Max. values: Maximum number of elements for aggregates. For example, if a chart of HTTP traffic is drawn aggregated by source IP address and Max. values is set to 5, only 5 IP addresses will be shown.

There are three types of netflow report items:

  • Area chart: An area chart, either aggregated or unaggregated.

Netflow chart area aggregated.png

  • Data table: A text representation of the area chart.

Netflow table data.png

  • Netflow summary chart: Summary of traffic for the given period. There are three elements: a table with global information, a pie chart with the most relevant IPs or ports and a table with the same information as the broken down pie chart.

Netflow9.png

2.6 Netflow live view

This view is used to check captured data history based on different search filters. You may use filters and different ways of information display. It is necessary to define the way to group the displayed information, as well as the way to obtain this information in order to start viewing data.

Netflow view1.png

The way to get the information can be by: Source IP, target IP, source port or target port. If you choose, for example, to show the target IP information, the information ordered by the IP traffic to the target will be shown. The same would apply to finding out network consumption by protocol, choosing by destination port.

The possible display options are the following:

  • Area graphs (stacked): show over time (from source date to target date) data evolution. The precision level of the graph in the "Resolution" token must be chosen.

Netflow grafico area.png

  • Summary: It displays a summary table, a pie chart and a table with data for the entire period.

Netflow grafico sumario.png

  • Detailed: It shows a map of portions that represents IP traffic.

Netflow grafico detailed.png.png

  • Data table: It displays a data table with each IP and a number of rows that depends on the chosen resolution.

Netflow datatable.png

  • Circle graph: It displays an interactive pie chart representing connection pairs between IP and traffic volume.

Netflow bola.png

Filters can be viewed in real time from "Operation > Netflow Live View". This tool allows you to see the changes that are made to a filter and save it once the desired result is obtained. It is also possible to load and modify existing filters.

See Reports and Filters to learn how to configure live view options.

2.7 Network traffic maps

This is a new feature added in OUM 733 and will be improved in the future. It creates dynamic network maps, based on the traffic between nodes. It shows the relationship (connections) between different addresses, showing the top N connections (by size of data transferred between them).

Network Usage map.jpg

2.8 Distributed configuration

It is possible to locate the Pandora FMS node that collects Netflow data on a host independent from the console. In environments with a lot of Netflow data it is more than recommended to place it on a server with fast disks and a fast CPU of at least two cores. In order for Pandora FMs console to retrieve Netflow data, it will be necessary to modify the default system configuration, following the steps described below:

  • Configure automatic SSH authentication between the user who owns the web daemon and the user with the ability to run nfdump on the collector node.

For its configuration, follow these steps:

Enable the apache user login. In order to do this, modify the line of the apache user in the file /etc/passwd with this configuration :

apache:x:48:48:Apache:/var/www:/bin/bash

Create the .ssh directory inside the /var/www directory and give it the correct permissions:

#mkdir /var/www/.ssh
#chown apache:apache /var/www/.ssh

Create ssh keys from the apache user and copy them to the server where the Netflow traffic is hosted.

#su apache
bash-4.2$ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/var/www/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /var/www/.ssh/id_rsa.
Your public key has been saved in /var/www/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:vYvl5V00E4faa14zN08ARzGUQ9IfAQJnMzkaqLAGRHI [email protected]<server>
The key's randomart image is:
+---[RSA 2048]----+
|+oE     ...*o=B+.|
|.o .   . .oo+o++ |
|  . o .   o o o+o|
|   o .   o   =  +|
|  .     S . . oo.|
|           .   +o|
|          o . o+=|
|         + + + +*|
|        . o . o .|
+----[SHA256]-----+
bash-4.2$ ssh-copy-id [email protected]<netflow_server>

Once shared, it must be verified that it is possible to access the server through the apache user without entering a password:

bash-4.2$ ssh [email protected]<netflow_server>
  • Create a script in Pandora FMS console that replaces /usr/bin/nfdump with one similar to the following
#!/bin/bash
NFDUMP_PARAMS=$(sed 's/(\(.*\))/\"\(\1\)\"/' <<< "[email protected]");

ssh [email protected]<netflow_server> "/usr/bin/nfdump $NFDUMP_PARAMS"

Give the script execution permissions:

chmod 755 /usr/bin/nfdump

Try executing the script like this:

/usr/bin/nfdump -V

It should return something similar to:

nfdump: Version: 1.6.13


Go back to Pandora FMS documentation index