Agenda: exercise3-NfSen-PortTracker.txt

File exercise3-NfSen-PortTracker.txt, 7.1 KB (added by admin, 6 years ago)

Line
1	NetFlow - PortTracker Exercises
2
3	# Optional Tasks
4
5	## Installing the PortTracker plugin (Optional or as reference)
6
7	We need to get nfdump 1.6.5 or newer. The version of nfdump included
8	in Ubuntu 12.04 is 1.6.3p1, which will not work with the PortTracker
9	plugin.
10
11	First, connect to your virtual machine and become root:
12
13	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
14	ssh sysadm@pcN.ws.nsrc.org
15	$ sudo bash
16	#
17	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
18
19	Now we will download the latest version of nfdump, the backend tool for
20	processing netflow data (this is what NfSen uses as well). We will configure
21	and install the software from source:
22
23	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
24	# cd /usr/local/src
25	# wget http://noc.ws.nsrc.org/downloads/nfdump-1.6.6.tar.gz
26	# tar xvzf nfdump-1.6.6.tar.gz
27	# cd nfdump-1.6.6
28	# ./configure --prefix /usr --enable-nfprofile --enable-nftrack
29	# make
30	# make install
31	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
32
33	* Make a directory for the nftrack data
34
35	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
36	# mkdir -p /var/log/netflow/porttracker
37	# chown www-data /var/log/netflow/porttracker
38	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
39
40	* Set the nftrack data directory in the PortTracker.pm module:
41
42	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
43	# editor extra/PortTracker.pm
44
45	Find the line:
46
47	my $PORTSDBDIR = "/data/ports-db";
48
49	and change it to:
50
51	my $PORTSDBDIR = "/var/log/netflow/porttracker";
52	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
53
54	Save and exit from the file.
55
56	* Install the plugins into the NFSen distribution
57
58	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
59	# cp extra/PortTracker.pm /var/nfsen/plugins/
60	# cp /usr/local/src/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.php \
61	/var/www/nfsen/plugins/
62	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
63
64	* Add the plugin definition to the nfsen.conf configuration
65
66	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
67	# cd /usr/local/src/nfsen-1.3.6p1
68	# cp /var/nfsen/etc/nfsen.conf etc/nfsen.conf
69	# editor etc/nfsen.conf
70	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
71
72	* Find the plugins section and make it look like this:
73
74	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
75	@plugins = (
76	[ 'live', 'PortTracker'],
77	);
78	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
79
80	Save and exit from the file.
81
82	* Re-run the NfSen installation. When prompted with
83
84	Perl to use: [/usr/bin/perl]
85
86	Press ENTER
87
88	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
89	# perl install.pl etc/nfsen.conf
90	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
91
92	If you see error messages like:
93
94	Subroutine Lookup::pack_sockaddr_in6 redefined at /usr/share/perl/5.14/Exporter.pm line 67.
95	at /var/nfsen/libexec/Lookup.pm line 43...
96
97	Don't worry. This is a bug in the NfSen startup procedure, but does not stop
98	the software from working.
99
100	* Initialize the PortTracker database files
101
102	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
103	# sudo -u www-data nftrack -I -d /var/log/netflow/porttracker
104	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
105
106	(This can take a LONG time! - 8 GB worth of files will be created)
107
108	* Set the permissions so the netflow user running nfsen, and the www-data
109	user running the Web interface, can access the porttracker data:
110
111	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
112	# chown -R netflow:www-data /var/log/netflow/porttracker
113	# chmod -R 775 /var/log/netflow/porttracker
114	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
115
116	* Reload:
117
118	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
119	# /var/nfsen/bin/nfsen reload
120	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
121
122	* Check for success:
123
124	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
125	# grep -i 'porttracker.*success' /var/log/syslog
126	Oct 12 13:19:35 pc1 nfsen[28005]: Loading plugin 'PortTracker': Success
127	Oct 12 13:19:35 pc1 nfsen[28005]: Initializing plugin 'PortTracker': Success
128	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
129
130	* Wait some minutes, and go the the nfsen GUI
131
132	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
133	http://pcX.ws.nsrc.org/nfsen/nfsen.php
134	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
135
136	... and select the Plugins tab.
137
138	You may get an error that "No plugins installed!" - Don't worry, you need to
139	wait a few minutes before NfSen will begin to show the PortTracker plugin
140	and its graphs.
141
142	At this point you are done. Congratulations!
143
144
145	## Troubleshooting
146
147	If you get an error "Cannot Read Stats file", check the /var/log/netflow/porttracker \
148	directory for 2 additional files: portstat24.txt and portstat.txt like this:
149
150	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
151	# ls -l /var/log/netflow/porttracker/portstat*
152	-rw-r--r-- 1 netflow www-data 677 2011-11-17 14:30 /var/log/netflow/\
153	porttracker/portstat24.txt
154	-rwxrwxr-x 1 netflow www-data 638 2011-11-17 14:30 /var/log/netflow/\
155	porttracker/portstat.txt
156	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
157
158	Make sure that nfsen can write in that directory.
159
160
161	## If you wanted to add more sources...
162
163	(Note, you should already have two sources and do not need to do this step!)
164
165	Go back to where you extracted your nfsen distribution.
166
167	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
168	# cd /usr/local/src/nfsen-1.3.6p1
169	# cp /var/nfsen/etc/nfsen.conf etc/nfsen.conf
170	# editor etc/nfsen.conf
171	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
172
173	Update your sources for new items that you might have.
174	(Sample only! Only do this if you have more sources!)
175
176	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
177	%sources = (
178	'rtr' => {'port' => '9000', 'col' => 'e4e4e4' },
179	'rtr2' => { 'port' => '9001', 'col' => '#0000ff' },
180	'rtr3' => { 'port' => '9002','col' => '#00cc00' },
181	'rtr4' => { 'port' => '9003','col' => '#000000' },
182	'rtr5' => { 'port' => '9004','col' => '#ff0000' },
183	'rtr6' => { 'port' => '9005','col' => '#ffff00' },
184	);
185	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
186
187	Save and exit from the nfsen.conf file.
188
189	Remember, you've updated nfsen.conf so you must re-run the install
190	script:
191
192	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
193	# perl install.pl etc/nfsen.conf
194	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
195
196	Now start and stop nfsen:
197
198	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
199	# service nfsen stop
200	# sudo service nfsen start
201	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
202
203	That's it!