Subversion Repositories ALCASAR

Compare Revisions

No changes between revisions

Ignore whitespace Rev 1158 → Rev 1159

/conf/nfsen/nfsen.conf
0,0 → 1,301
##############################
#
# NfSen master config file
#
# $Id: nfsen-dist.conf 22 2007-11-20 12:27:38Z phaag $
#
# Configuration of NfSen:
# Set all the values to fit your NfSen setup and run the 'install.pl'
# script from the nfsen distribution directory.
#
# The syntax must conform to Perl syntax.
#
##############################
#
# NfSen default layout:
# Any scripts, modules or profiles are installed by default under $BASEDIR.
# However, you may change any of these settings to fit your requested layout.
 
#
# Required for default layout
$BASEDIR = "/usr";
 
#
# Where to install the NfSen binaries
$BINDIR="${BASEDIR}/bin";
 
#
# Where to install the NfSen Perl modules
$LIBEXECDIR="${BASEDIR}/libexec";
 
#
# Where to install the config files
$CONFDIR="${BASEDIR}/etc";
 
#
# NfSen html pages directory:
# All php scripts will be installed here.
# URL: Entry point for nfsen: http://<webserver>/nfsen/nfsen.php
$HTMLDIR = "/var/www/nfsen";
 
#
# Where to install the docs
$DOCDIR="${HTMLDIR}/doc";
 
#
# Var space for NfSen
$VARDIR="/var/";
 
# directory for all pid files
$PIDDIR="$VARDIR/run";
#
# Filter directory
$FILTERDIR="$VARDIR/filters";
#
 
# FORMATDIR for custom printing formats
$FORMATDIR="$VARDIR/fmt";
#
 
#
# The Profiles stat directory, where all profile information
# RRD DBs and png pictures of the profile are stored
$PROFILESTATDIR="$VARDIR/log/nfsen/profiles-stat";
 
#
# The Profiles directory, where all netflow data is stored
$PROFILEDATADIR="$VARDIR/log/nfsen/profiles-data";
 
#
# Where go all the backend plugins
$BACKEND_PLUGINDIR="${BASEDIR}/share/nfsen/plugins";
 
#
# Where go all the frontend plugins
$FRONTEND_PLUGINDIR="${HTMLDIR}/plugins";
 
#
# nfdump tools path
$PREFIX = '/usr/bin';
 
#
# nfsend communication socket
# $COMMSOCKET = "$PIDDIR/nfsen.comm";
 
# BASEDIR unrelated vars:
#
# Run nfcapd as this user
# This may be a different or the same uid than your web server.
# Note: This user must be in group $WWWGROUP, otherwise nfcapd
# is not able to write data files!
$USER = "apache";
 
# user and group of the web server process
# All netflow processing will be done with this user
$WWWUSER = "apache";
$WWWGROUP = "apache";
 
# Receive buffer size for nfcapd - see man page nfcapd(1)
$BUFFLEN = 200000;
 
# list of extensions for each collector. See argument -T
# for nfcapd(1) for more detailes.
# defaults to empty -> compatible to nfdump-1.5.8
# $EXTENSIONS = '';
# Example:
# $EXTENSIONS = 'all';
# $EXTENSIONS = '+3,+4';
#
# Directory sub hierarchy layout:
# Possible layouts:
#
# 0 default no hierachy levels - flat layout - compatible with pre NfSen versions
# 1 %Y/%m/%d year/month/day
# 2 %Y/%m/%d/%H year/month/day/hour
# 3 %Y/%W/%u year/week_of_year/day_of_week
# 4 %Y/%W/%u/%H year/week_of_year/day_of_week/hour
# 5 %Y/%j year/day-of-year
# 6 %Y/%j/%H year/day-of-year/hour
# 7 %Y-%m-%d year-month-day
# 8 %Y-%m-%d/%H year-month-day/hour
$SUBDIRLAYOUT = 7;
 
# Compress flows while collecting 0 or 1
$ZIPcollected = 1;
 
# Compress flows in profiles 0 or 1
$ZIPprofiles = 1;
 
# Interrupt expire -- not yet enabled as not yet fully tested
#$InterruptExpire = 0;
 
# number of nfprofile processes to spawn during the profiling phase
# depends on how busy your system is and how many CPUs you have
# on very busy systems increase it to a higher value
$PROFILERS = 2;
 
# if the PROFILEDATADIR is filled up to this percentage, a warning message will be printed.
# set to 0 to disable the test
$DISKLIMIT = 98;
 
# number of nfprofile processes to spawn during the profiling phase
$PROFILERS = 6;
 
# Netflow sources
# Define an ident string, port and colour per netflow source
#
# Required parameters:
# ident identifies this netflow source. e.g. the router name,
# Upstream provider name etc.
# port nfcapd listens on this port for netflow data for this source
# set port to '0' if you do not want a collector to be started
# col colour in nfsen graphs for this source
#
# Optional parameters
# type Collector type needed for this source. Can be 'netflow' or 'sflow'. Default is netflow
# optarg Optional args to the collector at startup
#
# Syntax:
# 'ident' => { 'port' => '<portnum>', 'col' => '<colour>', 'type' => '<type>' }
# Ident strings must be 1 to 19 characters long only, containing characters [a-zA-Z0-9_].
 
%sources = (
'ipt_netflow' => { 'port' => '2055', 'col' => '#0000ff', 'type' => 'netflow' },
);
 
#
# Low water mark: When expiring files, delete files until
# size = $low_water % of max_size
# typically 90
$low_water = 90;
 
#
# syslog facility for periodic jobs
# nfsen uses level 'debug', 'info', 'warning' and 'err'
# Note: nfsen is very chatty for level 'debug' and 'info'
# For normal operation, you may set the logging level in syslog.conf
# to warning or error unless you want to debug NfSen
$syslog_facility = 'local3';
 
#
# SYSLOG mess
# Log socket type: Most *NIX such as LINUX and *BSD are fine with 'unix'
# which is the default. You need to change that to 'stream' or 'inet' for
# some Solaris version 8/9, AIX and others ..
# You may set it to undef to prevent calling Sys::Syslog::setlogsock at all
# ( works for Solaris 10 and newer Sys::Syslog module
#
# If not defined at all, 'unix' is assumed unless for Solaris, which defaults to 'stream'
# $LogSocket = 'unix';
 
#
# Plugins
# Plugins extend NfSen for the purpose of:
# Periodic data processing, alerting-condition and alerting-action
# For data processing a plugin may run for any profile or for a specific profile only.
# Syntax: [ 'profile list', 'module' ]
# profile list: ',' separated list of profiles ( 'profilegroup/profilename' ),
# or '*' for any profile, '!' for no profile
# module: Perl Module name, equal to plugin name
# The profile list '!' make sense for plugins, which only provide alerting functions
#
# The module follows the standard Perl module conventions, with at least one
# function: Init(). See demoplugin.pm for a simple template.
#
# A file with the same name in the FRONTEND_PLUGINDIR and .php extension is automatically
# recongized as frontend plugin.
#
# Plugins are installed under
# $BACKEND_PLUGINDIR and $FRONTEND_PLUGINDIR
 
@plugins = (
# profile # module
[ 'live','PortTracker' ],
);
 
%PluginConf = (
# For plugin demoplugin
demoplugin => {
# scalar
param2 => 42,
# hash
param1 => { 'key' => 'value' },
},
# for plugin otherplugin
otherplugin => [
# array
'mary had a little lamb'
],
);
 
#
# Alert module: email alerting:
# Use this from address
$MAIL_FROM = 'your@from.example.net';
 
# Use this SMTP server
$SMTP_SERVER = 'localhost';
 
# Use this email body:
# You may have multiple lines of text.
# Var substitution:
# @alert@ replaced by alert name
# @timeslot@ replaced by timeslot alert triggered
$MAIL_BODY = q{
Alert '@alert@' triggered at timeslot @timeslot@
};
 
######################################################
#
# For the NfSen simulator include the section below.
#
######################################################
#
# Nfsen Simulator
# The simulator requires, that you have already installed
# and configured NfSen. The simulation is based on already
# pre-colleted data, which you may get from another live
# NfSen system.
#
# Steps to setup the NfSen simulator:
# 1. Configure the sources of the live profile with the
# same names of the NfSen system, you take netflow data
# for the simulation. Set the port for each netflow source
# to 0 to prevent a collector to be started.
# Install NfSen with this config in a seperate directory
# 2. Copy the pre-collected data into the appropriate
# netflow directory of the live profile.
# 3. Configure the simulator using the parameters below
# Enable Simulation mode => $SIMmode = 1
# Configure the time window of the pre-collected data.
# tstart => Start of time window. yyyymmddhhmm
# tbegin => Optional parameter. Start of simulation
# profile exists already between tstart - tbegin
# tend => End of time window. yyyymmddhhmm
# cycletime => simulation time in seconds of a 5min slot
# Setting cycletime = 0 processes the cycles as fast as
# possible. Please note, if you test plugings, your
# cycletime needs to be at least the time required to
# process all plugins.
# 4. Start nfsen: ../nfsen start
# Simulation starts
#
# The simulator runs from tstart to tend and stops when tend
# is reached. You may stop the simulation at any given time
# using ./nfsen stop. To continue the simulation start NfSen
# again: ./nfsen start. You may reset the simulator at any
# given time using ./nfsen abort-reset. This stops the sumulation
# and rolls back to tstart. All profiles/alerts are deleted,
# so you may start from scratch again.
#
# Configure simulator parameters
#
# $SIMmode = 1;
# %sim = (
# 'tstart' => '200707100000', # Simulation data available from July 10th 2007 00:00
# 'tbegin' => '200707110000', # Simulation begins at July 11th 2007 00:00
# 'tend' => '200707112355', # Simulation ends at July 11th 2007 23:55
# 'cycletime' => '30', # 30s per 5min slot
# );
 
1;
/conf/nfsen/nfsen-1.3.6p1.tar.gz
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream
Property changes:
Added: svn:mime-type
+application/octet-stream
\ No newline at end of property
/conf/nfsen/nfsen-init
0,0 → 1,42
#!/bin/sh
#
# chkconfig: 345 90 10
# description : Init script launching the nfsen service at the startup.
 
### BEGIN INIT INFO
# Provides: nfsen
# Should-Start: ntp
# Should-Stop:
# Default-Start: 3 4 5
# Description: Init script launching the nfsen service at the startup.
### END INIT INFO
 
. /etc/init.d/functions
 
# Include nfcapd defaults if available
if [ -f /etc/sysconfig/nfsen ] ; then
. /etc/sysconfig/nfsen
fi
 
case "$1" in
start)
/usr/bin/nfsen start
;;
stop)
/usr/bin/nfsen stop
;;
 
restart)
/usr/bin/nfsen restart
;;
status)
/usr/bin/nfsen status
exit 4
;;
*)
gprintf "Usage: %s {start|stop|status|restart}\n" "$N"
;;
esac
 
exit 0
/conf/nfsen/PortTracker.pm
0,0 → 1,322
#!/usr/bin/perl
#
# Copyright (c) 2004, SWITCH - Teleinformatikdienste fuer Lehre und Forschung
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice,
# this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
# * Neither the name of SWITCH nor the names of its contributors may be
# used to endorse or promote products derived from this software without
# specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#
# $Author: peter $
#
# $Id: PortTracker.pm 27 2011-12-29 12:53:29Z peter $
#
# $LastChangedRevision: 27 $
 
# Demo plugin for NfSen
#
# This plugin demonstrates the use of plugins
 
package PortTracker;
 
use strict;
use NfSen;
use NfConf;
 
#
# The plugin may send any messages to syslog
# Do not initialize syslog, as this is done by
# the main process nfsen-run
use Sys::Syslog;
our $VERSION = 130;
 
our %cmd_lookup = (
'get-portgraph' => \&GetPortGraph,
'get-topN' => \&GetTopN,
);
 
my ( $nftrack, $PROFILEDATADIR );
 
my $PORTSDBDIR = "/var/log/netflow/porttracker";
 
my $EODATA = ".\n";
 
# colours used in graphs
# if more than 12 graphs are drawn ( does this really make sense ? )
# the same colours are used again
my @colour = (
'#ff0000', '#ff8000', '#ffff00', '#80ff00', '#00ff00',
'#00ff80', '#00ffff', '#0080ff', '#0000ff', '#8000ff',
'#ff00ff', '#ff0080'
);
 
 
sub GetTopN {
my $socket = shift;
my $opts = shift;
 
my $interval;
if ( !exists $$opts{'interval'} ) {
$interval = 1;
} else {
$interval = $$opts{'interval'};
}
print $socket ".Get topN ports\n";
 
my $statfile = $interval == 24 ? 'portstat24.txt' : 'portstat.txt';
print $socket ".topN ports $PORTSDBDIR/$statfile\n";
if ( !open STAT, "$PORTSDBDIR/$statfile" ) {
print $socket $EODATA;
print $socket "ERR Open statfile '$PORTSDBDIR/$statfile': $!\n";
return;
}
 
print $socket ".topN read ports\n";
while ( <STAT> ) {
chomp;
print $socket "_topN=$_\n";
}
print $socket $EODATA;
print $socket "OK Command completed\n",
} # End of GetPortGraph
 
sub GetPortGraph {
my $socket = shift;
my $opts = shift;
 
# get all arguments:
# Example:
# proto typw logscale light tstart tend topN track_list
# tcp flows 0 0 1116495000 1116581400 '22 445 135 1433' '80 143'
if ( !exists $$opts{'arg'} ) {
print $socket $EODATA;
print $socket "ERR Missing Arguments.\n";
}
my $ARGS = $$opts{'arg'};
my $proto = shift @$ARGS; # 'tcp' or 'udp'
my $type = shift @$ARGS; # 'flows', 'packets' or 'bytes'
my $logscale = shift @$ARGS; # 0 or 1
my $stacked = shift @$ARGS; # 0 or 1
my $light = shift @$ARGS; # 0 or 1
my $tstart = shift @$ARGS; # start time - UNIX format
my $tend = shift @$ARGS; # end time - UNIX format
my $topN = shift @$ARGS; # TopN port list: string: ' ' separated port list
my $track_list = shift @$ARGS; # Static track port list: string: ' ' separated port list
my $skip_list = shift @$ARGS; # Static skip port list: string: ' ' separated port list
 
if ( !defined $proto || !defined $type || !defined $logscale || !defined $stacked ||
!defined $light || !defined $tstart || !defined $tend || !defined $topN ||
!defined $track_list || !defined $skip_list ) {
print $socket $EODATA;
print $socket "ERR Argument Error.\n";
return;
}
my @skipPorts = split '-', $skip_list;
 
my @topN = split '-', $topN;
my @track_list = split '-', $track_list;
 
# remove the common ports in both lists from the dynamic topN list
my %_tmp;
@_tmp{@track_list} = @track_list;
delete @_tmp{@topN};
@track_list = sort keys %_tmp;
 
# %_tmp = ();
# @_tmp{@topN} = @topN;
# delete @_tmp{@skipPorts};
# @topN = keys %_tmp;
 
%_tmp = ();
my @_tmp;
@_tmp{@skipPorts} = @skipPorts;
foreach my $port ( @topN ) {
push @_tmp, $port unless exists $_tmp{$port};
}
@topN = @_tmp;
 
my $datestr = scalar localtime($tstart) . " - " . scalar localtime($tend);
my $title = uc($proto) . " " . ucfirst($type);
 
my @DEFS = ();
 
# Compile rrd args
my @rrdargs = ();
push @rrdargs, "-"; # output graphics to stdout
foreach my $port ( @topN, @track_list ) {
# assemble filename
my $fileident = $port >> 10;
my $rrdfile = "$PORTSDBDIR/${proto}-${type}-$fileident.rrd";
# which ident in this rrd file
my $ident = $port & 1023; # 0x0000001111111111 mask
push @rrdargs, "DEF:Port${port}=$rrdfile:p${ident}:AVERAGE";
}
 
push @rrdargs, "--start", "$tstart";
push @rrdargs, "--end", "$tend";
push @rrdargs, "--title", "$datestr - $title" unless $light;
push @rrdargs, "--vertical-label", "$title" unless $light;
# lin or log graph?
push @rrdargs, "--logarithmic" if $logscale;
 
if ( $light ) {
push @rrdargs, "-w";
push @rrdargs, "288";
push @rrdargs, "-h";
push @rrdargs, "150";
push @rrdargs, "--no-legend"; # no legend in small pictures
} else {
push @rrdargs, "-w";
push @rrdargs, "576";
push @rrdargs, "-h";
push @rrdargs, "300";
}
 
 
my $i=0;
my $area_set = 0;
my $n = scalar @topN;
push @rrdargs, "COMMENT:Top $n Ports\\n";
if ( $stacked && scalar @topN ) {
my $port = shift @topN;
push @rrdargs, "AREA:Port${port}$colour[$i]:Port ${port}";
$i++;
$area_set = 1;
foreach my $port ( @topN ) {
push @rrdargs, "STACK:Port${port}$colour[$i]:Port ${port}";
$i++;
}
 
} else {
foreach my $port ( @topN ) {
push @rrdargs, "LINE1:Port${port}$colour[$i]:Port ${port}";
$i++;
}
}
if ( scalar @track_list) {
push @rrdargs, "COMMENT:\\n";
push @rrdargs, "COMMENT:\\n";
push @rrdargs, "COMMENT:Tracked Ports\\n";
}
if ( $stacked && scalar @track_list) {
if ( !$area_set ) {
my $port = shift @track_list;
push @rrdargs, "AREA:Port${port}$colour[$i]:Port ${port}";
$i++;
}
foreach my $port ( @track_list ) {
push @rrdargs, "STACK:Port${port}$colour[$i]:Port ${port}";
$i++;
}
} else {
foreach my $port ( @track_list ) {
push @rrdargs, "LINE2:Port${port}$colour[$i]:Port ${port}";
$i++;
}
}
if ( scalar @skipPorts) {
push @rrdargs, "COMMENT:\\n";
push @rrdargs, "COMMENT:\\n";
my $portlist = join ',', @skipPorts;
push @rrdargs, "COMMENT:Skipped Ports $portlist\\n";
}
my ($averages,$xsize,$ysize) = RRDs::graph( @rrdargs );
if (my $ERROR = RRDs::error) {
print "ERROR: $ERROR\n";
}
 
} # End of GenPortGraph
 
 
sub nftrack_execute {
my $command = shift;
 
syslog('debug', $command);
 
my $ret = system($command);
if ( $ret == - 1 ) {
syslog('err', "Failed to execute nftrack: $!\n");
} elsif ($ret & 127) {
syslog('err', "nftrack died with signal %d, %s coredump\n", ($ret & 127), ($ret & 128) ? 'with' : 'without');
} else {
syslog('debug', "nftrack exited with value %d\n", $ret >> 8);
}
 
} # End of nftrack_execute
 
#
# Periodic function
# input: hash reference including the items:
# 'profile' profile name
# 'profilegroup' profile group
# 'timeslot' time of slot to process: Format yyyymmddHHMM e.g. 200503031200
sub run {
my $argref = shift;
 
my $profile = $$argref{'profile'};
my $profilegroup = $$argref{'profilegroup'};
my $timeslot = $$argref{'timeslot'};
 
syslog('debug', "PortTracker run: Profile: $profile, Time: $timeslot");
 
my %profileinfo = NfProfile::ReadProfile($profile);
my $netflow_sources = "$PROFILEDATADIR/$profile/$profileinfo{'sourcelist'}";
 
#
# process all sources of this profile at once
my $command = "$nftrack -L $NfConf::syslog_facility -M $netflow_sources -r nfcapd.$timeslot -d $PORTSDBDIR -A -t $timeslot -s -p -w $PORTSDBDIR/portstat.txt";
nftrack_execute($command);
 
$command = "$nftrack -d $PORTSDBDIR -S -p -w $PORTSDBDIR/portstat24.txt";
nftrack_execute($command);
 
#
# Process the output and notify the duty team
 
syslog('debug', "PortTracker run: Done.");
 
} # End of run
 
sub Init {
syslog("info", "PortTracker: Init");
 
# Init some vars
$nftrack = "$NfConf::PREFIX/nftrack";
$PROFILEDATADIR = "$NfConf::PROFILEDATADIR";
 
return 1;
}
 
sub Cleanup {
syslog("info", "PortTracker Cleanup");
# not used here
}
 
1;