/conf/nfsen/nfsen.conf |
---|
0,0 → 1,301 |
############################## |
# |
# NfSen master config file |
# |
# $Id: nfsen-dist.conf 22 2007-11-20 12:27:38Z phaag $ |
# |
# Configuration of NfSen: |
# Set all the values to fit your NfSen setup and run the 'install.pl' |
# script from the nfsen distribution directory. |
# |
# The syntax must conform to Perl syntax. |
# |
############################## |
# |
# NfSen default layout: |
# Any scripts, modules or profiles are installed by default under $BASEDIR. |
# However, you may change any of these settings to fit your requested layout. |
# |
# Required for default layout |
$BASEDIR = "/usr"; |
# |
# Where to install the NfSen binaries |
$BINDIR="${BASEDIR}/bin"; |
# |
# Where to install the NfSen Perl modules |
$LIBEXECDIR="${BASEDIR}/libexec"; |
# |
# Where to install the config files |
$CONFDIR="${BASEDIR}/etc"; |
# |
# NfSen html pages directory: |
# All php scripts will be installed here. |
# URL: Entry point for nfsen: http://<webserver>/nfsen/nfsen.php |
$HTMLDIR = "/var/www/nfsen"; |
# |
# Where to install the docs |
$DOCDIR="${HTMLDIR}/doc"; |
# |
# Var space for NfSen |
$VARDIR="/var/"; |
# directory for all pid files |
$PIDDIR="$VARDIR/run"; |
# |
# Filter directory |
$FILTERDIR="$VARDIR/filters"; |
# |
# FORMATDIR for custom printing formats |
$FORMATDIR="$VARDIR/fmt"; |
# |
# |
# The Profiles stat directory, where all profile information |
# RRD DBs and png pictures of the profile are stored |
$PROFILESTATDIR="$VARDIR/log/nfsen/profiles-stat"; |
# |
# The Profiles directory, where all netflow data is stored |
$PROFILEDATADIR="$VARDIR/log/nfsen/profiles-data"; |
# |
# Where go all the backend plugins |
$BACKEND_PLUGINDIR="${BASEDIR}/share/nfsen/plugins"; |
# |
# Where go all the frontend plugins |
$FRONTEND_PLUGINDIR="${HTMLDIR}/plugins"; |
# |
# nfdump tools path |
$PREFIX = '/usr/bin'; |
# |
# nfsend communication socket |
# $COMMSOCKET = "$PIDDIR/nfsen.comm"; |
# BASEDIR unrelated vars: |
# |
# Run nfcapd as this user |
# This may be a different or the same uid than your web server. |
# Note: This user must be in group $WWWGROUP, otherwise nfcapd |
# is not able to write data files! |
$USER = "apache"; |
# user and group of the web server process |
# All netflow processing will be done with this user |
$WWWUSER = "apache"; |
$WWWGROUP = "apache"; |
# Receive buffer size for nfcapd - see man page nfcapd(1) |
$BUFFLEN = 200000; |
# list of extensions for each collector. See argument -T |
# for nfcapd(1) for more detailes. |
# defaults to empty -> compatible to nfdump-1.5.8 |
# $EXTENSIONS = ''; |
# Example: |
# $EXTENSIONS = 'all'; |
# $EXTENSIONS = '+3,+4'; |
# |
# Directory sub hierarchy layout: |
# Possible layouts: |
# |
# 0 default no hierachy levels - flat layout - compatible with pre NfSen versions |
# 1 %Y/%m/%d year/month/day |
# 2 %Y/%m/%d/%H year/month/day/hour |
# 3 %Y/%W/%u year/week_of_year/day_of_week |
# 4 %Y/%W/%u/%H year/week_of_year/day_of_week/hour |
# 5 %Y/%j year/day-of-year |
# 6 %Y/%j/%H year/day-of-year/hour |
# 7 %Y-%m-%d year-month-day |
# 8 %Y-%m-%d/%H year-month-day/hour |
$SUBDIRLAYOUT = 7; |
# Compress flows while collecting 0 or 1 |
$ZIPcollected = 1; |
# Compress flows in profiles 0 or 1 |
$ZIPprofiles = 1; |
# Interrupt expire -- not yet enabled as not yet fully tested |
#$InterruptExpire = 0; |
# number of nfprofile processes to spawn during the profiling phase |
# depends on how busy your system is and how many CPUs you have |
# on very busy systems increase it to a higher value |
$PROFILERS = 2; |
# if the PROFILEDATADIR is filled up to this percentage, a warning message will be printed. |
# set to 0 to disable the test |
$DISKLIMIT = 98; |
# number of nfprofile processes to spawn during the profiling phase |
$PROFILERS = 6; |
# Netflow sources |
# Define an ident string, port and colour per netflow source |
# |
# Required parameters: |
# ident identifies this netflow source. e.g. the router name, |
# Upstream provider name etc. |
# port nfcapd listens on this port for netflow data for this source |
# set port to '0' if you do not want a collector to be started |
# col colour in nfsen graphs for this source |
# |
# Optional parameters |
# type Collector type needed for this source. Can be 'netflow' or 'sflow'. Default is netflow |
# optarg Optional args to the collector at startup |
# |
# Syntax: |
# 'ident' => { 'port' => '<portnum>', 'col' => '<colour>', 'type' => '<type>' } |
# Ident strings must be 1 to 19 characters long only, containing characters [a-zA-Z0-9_]. |
%sources = ( |
'ipt_netflow' => { 'port' => '2055', 'col' => '#0000ff', 'type' => 'netflow' }, |
); |
# |
# Low water mark: When expiring files, delete files until |
# size = $low_water % of max_size |
# typically 90 |
$low_water = 90; |
# |
# syslog facility for periodic jobs |
# nfsen uses level 'debug', 'info', 'warning' and 'err' |
# Note: nfsen is very chatty for level 'debug' and 'info' |
# For normal operation, you may set the logging level in syslog.conf |
# to warning or error unless you want to debug NfSen |
$syslog_facility = 'local3'; |
# |
# SYSLOG mess |
# Log socket type: Most *NIX such as LINUX and *BSD are fine with 'unix' |
# which is the default. You need to change that to 'stream' or 'inet' for |
# some Solaris version 8/9, AIX and others .. |
# You may set it to undef to prevent calling Sys::Syslog::setlogsock at all |
# ( works for Solaris 10 and newer Sys::Syslog module |
# |
# If not defined at all, 'unix' is assumed unless for Solaris, which defaults to 'stream' |
# $LogSocket = 'unix'; |
# |
# Plugins |
# Plugins extend NfSen for the purpose of: |
# Periodic data processing, alerting-condition and alerting-action |
# For data processing a plugin may run for any profile or for a specific profile only. |
# Syntax: [ 'profile list', 'module' ] |
# profile list: ',' separated list of profiles ( 'profilegroup/profilename' ), |
# or '*' for any profile, '!' for no profile |
# module: Perl Module name, equal to plugin name |
# The profile list '!' make sense for plugins, which only provide alerting functions |
# |
# The module follows the standard Perl module conventions, with at least one |
# function: Init(). See demoplugin.pm for a simple template. |
# |
# A file with the same name in the FRONTEND_PLUGINDIR and .php extension is automatically |
# recongized as frontend plugin. |
# |
# Plugins are installed under |
# $BACKEND_PLUGINDIR and $FRONTEND_PLUGINDIR |
@plugins = ( |
# profile # module |
[ 'live','PortTracker' ], |
); |
%PluginConf = ( |
# For plugin demoplugin |
demoplugin => { |
# scalar |
param2 => 42, |
# hash |
param1 => { 'key' => 'value' }, |
}, |
# for plugin otherplugin |
otherplugin => [ |
# array |
'mary had a little lamb' |
], |
); |
# |
# Alert module: email alerting: |
# Use this from address |
$MAIL_FROM = 'your@from.example.net'; |
# Use this SMTP server |
$SMTP_SERVER = 'localhost'; |
# Use this email body: |
# You may have multiple lines of text. |
# Var substitution: |
# @alert@ replaced by alert name |
# @timeslot@ replaced by timeslot alert triggered |
$MAIL_BODY = q{ |
Alert '@alert@' triggered at timeslot @timeslot@ |
}; |
###################################################### |
# |
# For the NfSen simulator include the section below. |
# |
###################################################### |
# |
# Nfsen Simulator |
# The simulator requires, that you have already installed |
# and configured NfSen. The simulation is based on already |
# pre-colleted data, which you may get from another live |
# NfSen system. |
# |
# Steps to setup the NfSen simulator: |
# 1. Configure the sources of the live profile with the |
# same names of the NfSen system, you take netflow data |
# for the simulation. Set the port for each netflow source |
# to 0 to prevent a collector to be started. |
# Install NfSen with this config in a seperate directory |
# 2. Copy the pre-collected data into the appropriate |
# netflow directory of the live profile. |
# 3. Configure the simulator using the parameters below |
# Enable Simulation mode => $SIMmode = 1 |
# Configure the time window of the pre-collected data. |
# tstart => Start of time window. yyyymmddhhmm |
# tbegin => Optional parameter. Start of simulation |
# profile exists already between tstart - tbegin |
# tend => End of time window. yyyymmddhhmm |
# cycletime => simulation time in seconds of a 5min slot |
# Setting cycletime = 0 processes the cycles as fast as |
# possible. Please note, if you test plugings, your |
# cycletime needs to be at least the time required to |
# process all plugins. |
# 4. Start nfsen: ../nfsen start |
# Simulation starts |
# |
# The simulator runs from tstart to tend and stops when tend |
# is reached. You may stop the simulation at any given time |
# using ./nfsen stop. To continue the simulation start NfSen |
# again: ./nfsen start. You may reset the simulator at any |
# given time using ./nfsen abort-reset. This stops the sumulation |
# and rolls back to tstart. All profiles/alerts are deleted, |
# so you may start from scratch again. |
# |
# Configure simulator parameters |
# |
# $SIMmode = 1; |
# %sim = ( |
# 'tstart' => '200707100000', # Simulation data available from July 10th 2007 00:00 |
# 'tbegin' => '200707110000', # Simulation begins at July 11th 2007 00:00 |
# 'tend' => '200707112355', # Simulation ends at July 11th 2007 23:55 |
# 'cycletime' => '30', # 30s per 5min slot |
# ); |
1; |
/conf/nfsen/nfsen-1.3.6p1.tar.gz |
---|
Cannot display: file marked as a binary type. |
svn:mime-type = application/octet-stream |
Property changes: |
Added: svn:mime-type |
+application/octet-stream |
\ No newline at end of property |
/conf/nfsen/nfsen-init |
---|
0,0 → 1,42 |
#!/bin/sh |
# |
# chkconfig: 345 90 10 |
# description : Init script launching the nfsen service at the startup. |
### BEGIN INIT INFO |
# Provides: nfsen |
# Should-Start: ntp |
# Should-Stop: |
# Default-Start: 3 4 5 |
# Description: Init script launching the nfsen service at the startup. |
### END INIT INFO |
. /etc/init.d/functions |
# Include nfcapd defaults if available |
if [ -f /etc/sysconfig/nfsen ] ; then |
. /etc/sysconfig/nfsen |
fi |
case "$1" in |
start) |
/usr/bin/nfsen start |
;; |
stop) |
/usr/bin/nfsen stop |
;; |
restart) |
/usr/bin/nfsen restart |
;; |
status) |
/usr/bin/nfsen status |
exit 4 |
;; |
*) |
gprintf "Usage: %s {start|stop|status|restart}\n" "$N" |
;; |
esac |
exit 0 |
/conf/nfsen/PortTracker.pm |
---|
0,0 → 1,322 |
#!/usr/bin/perl |
# |
# Copyright (c) 2004, SWITCH - Teleinformatikdienste fuer Lehre und Forschung |
# All rights reserved. |
# |
# Redistribution and use in source and binary forms, with or without |
# modification, are permitted provided that the following conditions are met: |
# |
# * Redistributions of source code must retain the above copyright notice, |
# this list of conditions and the following disclaimer. |
# * Redistributions in binary form must reproduce the above copyright notice, |
# this list of conditions and the following disclaimer in the documentation |
# and/or other materials provided with the distribution. |
# * Neither the name of SWITCH nor the names of its contributors may be |
# used to endorse or promote products derived from this software without |
# specific prior written permission. |
# |
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" |
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE |
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
# POSSIBILITY OF SUCH DAMAGE. |
# |
# $Author: peter $ |
# |
# $Id: PortTracker.pm 27 2011-12-29 12:53:29Z peter $ |
# |
# $LastChangedRevision: 27 $ |
# Demo plugin for NfSen |
# |
# This plugin demonstrates the use of plugins |
package PortTracker; |
use strict; |
use NfSen; |
use NfConf; |
# |
# The plugin may send any messages to syslog |
# Do not initialize syslog, as this is done by |
# the main process nfsen-run |
use Sys::Syslog; |
our $VERSION = 130; |
our %cmd_lookup = ( |
'get-portgraph' => \&GetPortGraph, |
'get-topN' => \&GetTopN, |
); |
my ( $nftrack, $PROFILEDATADIR ); |
my $PORTSDBDIR = "/var/log/netflow/porttracker"; |
my $EODATA = ".\n"; |
# colours used in graphs |
# if more than 12 graphs are drawn ( does this really make sense ? ) |
# the same colours are used again |
my @colour = ( |
'#ff0000', '#ff8000', '#ffff00', '#80ff00', '#00ff00', |
'#00ff80', '#00ffff', '#0080ff', '#0000ff', '#8000ff', |
'#ff00ff', '#ff0080' |
); |
sub GetTopN { |
my $socket = shift; |
my $opts = shift; |
my $interval; |
if ( !exists $$opts{'interval'} ) { |
$interval = 1; |
} else { |
$interval = $$opts{'interval'}; |
} |
print $socket ".Get topN ports\n"; |
my $statfile = $interval == 24 ? 'portstat24.txt' : 'portstat.txt'; |
print $socket ".topN ports $PORTSDBDIR/$statfile\n"; |
if ( !open STAT, "$PORTSDBDIR/$statfile" ) { |
print $socket $EODATA; |
print $socket "ERR Open statfile '$PORTSDBDIR/$statfile': $!\n"; |
return; |
} |
print $socket ".topN read ports\n"; |
while ( <STAT> ) { |
chomp; |
print $socket "_topN=$_\n"; |
} |
print $socket $EODATA; |
print $socket "OK Command completed\n", |
} # End of GetPortGraph |
sub GetPortGraph { |
my $socket = shift; |
my $opts = shift; |
# get all arguments: |
# Example: |
# proto typw logscale light tstart tend topN track_list |
# tcp flows 0 0 1116495000 1116581400 '22 445 135 1433' '80 143' |
if ( !exists $$opts{'arg'} ) { |
print $socket $EODATA; |
print $socket "ERR Missing Arguments.\n"; |
} |
my $ARGS = $$opts{'arg'}; |
my $proto = shift @$ARGS; # 'tcp' or 'udp' |
my $type = shift @$ARGS; # 'flows', 'packets' or 'bytes' |
my $logscale = shift @$ARGS; # 0 or 1 |
my $stacked = shift @$ARGS; # 0 or 1 |
my $light = shift @$ARGS; # 0 or 1 |
my $tstart = shift @$ARGS; # start time - UNIX format |
my $tend = shift @$ARGS; # end time - UNIX format |
my $topN = shift @$ARGS; # TopN port list: string: ' ' separated port list |
my $track_list = shift @$ARGS; # Static track port list: string: ' ' separated port list |
my $skip_list = shift @$ARGS; # Static skip port list: string: ' ' separated port list |
if ( !defined $proto || !defined $type || !defined $logscale || !defined $stacked || |
!defined $light || !defined $tstart || !defined $tend || !defined $topN || |
!defined $track_list || !defined $skip_list ) { |
print $socket $EODATA; |
print $socket "ERR Argument Error.\n"; |
return; |
} |
my @skipPorts = split '-', $skip_list; |
my @topN = split '-', $topN; |
my @track_list = split '-', $track_list; |
# remove the common ports in both lists from the dynamic topN list |
my %_tmp; |
@_tmp{@track_list} = @track_list; |
delete @_tmp{@topN}; |
@track_list = sort keys %_tmp; |
# %_tmp = (); |
# @_tmp{@topN} = @topN; |
# delete @_tmp{@skipPorts}; |
# @topN = keys %_tmp; |
%_tmp = (); |
my @_tmp; |
@_tmp{@skipPorts} = @skipPorts; |
foreach my $port ( @topN ) { |
push @_tmp, $port unless exists $_tmp{$port}; |
} |
@topN = @_tmp; |
my $datestr = scalar localtime($tstart) . " - " . scalar localtime($tend); |
my $title = uc($proto) . " " . ucfirst($type); |
my @DEFS = (); |
# Compile rrd args |
my @rrdargs = (); |
push @rrdargs, "-"; # output graphics to stdout |
foreach my $port ( @topN, @track_list ) { |
# assemble filename |
my $fileident = $port >> 10; |
my $rrdfile = "$PORTSDBDIR/${proto}-${type}-$fileident.rrd"; |
# which ident in this rrd file |
my $ident = $port & 1023; # 0x0000001111111111 mask |
push @rrdargs, "DEF:Port${port}=$rrdfile:p${ident}:AVERAGE"; |
} |
push @rrdargs, "--start", "$tstart"; |
push @rrdargs, "--end", "$tend"; |
push @rrdargs, "--title", "$datestr - $title" unless $light; |
push @rrdargs, "--vertical-label", "$title" unless $light; |
# lin or log graph? |
push @rrdargs, "--logarithmic" if $logscale; |
if ( $light ) { |
push @rrdargs, "-w"; |
push @rrdargs, "288"; |
push @rrdargs, "-h"; |
push @rrdargs, "150"; |
push @rrdargs, "--no-legend"; # no legend in small pictures |
} else { |
push @rrdargs, "-w"; |
push @rrdargs, "576"; |
push @rrdargs, "-h"; |
push @rrdargs, "300"; |
} |
my $i=0; |
my $area_set = 0; |
my $n = scalar @topN; |
push @rrdargs, "COMMENT:Top $n Ports\\n"; |
if ( $stacked && scalar @topN ) { |
my $port = shift @topN; |
push @rrdargs, "AREA:Port${port}$colour[$i]:Port ${port}"; |
$i++; |
$area_set = 1; |
foreach my $port ( @topN ) { |
push @rrdargs, "STACK:Port${port}$colour[$i]:Port ${port}"; |
$i++; |
} |
} else { |
foreach my $port ( @topN ) { |
push @rrdargs, "LINE1:Port${port}$colour[$i]:Port ${port}"; |
$i++; |
} |
} |
if ( scalar @track_list) { |
push @rrdargs, "COMMENT:\\n"; |
push @rrdargs, "COMMENT:\\n"; |
push @rrdargs, "COMMENT:Tracked Ports\\n"; |
} |
if ( $stacked && scalar @track_list) { |
if ( !$area_set ) { |
my $port = shift @track_list; |
push @rrdargs, "AREA:Port${port}$colour[$i]:Port ${port}"; |
$i++; |
} |
foreach my $port ( @track_list ) { |
push @rrdargs, "STACK:Port${port}$colour[$i]:Port ${port}"; |
$i++; |
} |
} else { |
foreach my $port ( @track_list ) { |
push @rrdargs, "LINE2:Port${port}$colour[$i]:Port ${port}"; |
$i++; |
} |
} |
if ( scalar @skipPorts) { |
push @rrdargs, "COMMENT:\\n"; |
push @rrdargs, "COMMENT:\\n"; |
my $portlist = join ',', @skipPorts; |
push @rrdargs, "COMMENT:Skipped Ports $portlist\\n"; |
} |
my ($averages,$xsize,$ysize) = RRDs::graph( @rrdargs ); |
if (my $ERROR = RRDs::error) { |
print "ERROR: $ERROR\n"; |
} |
} # End of GenPortGraph |
sub nftrack_execute { |
my $command = shift; |
syslog('debug', $command); |
my $ret = system($command); |
if ( $ret == - 1 ) { |
syslog('err', "Failed to execute nftrack: $!\n"); |
} elsif ($ret & 127) { |
syslog('err', "nftrack died with signal %d, %s coredump\n", ($ret & 127), ($ret & 128) ? 'with' : 'without'); |
} else { |
syslog('debug', "nftrack exited with value %d\n", $ret >> 8); |
} |
} # End of nftrack_execute |
# |
# Periodic function |
# input: hash reference including the items: |
# 'profile' profile name |
# 'profilegroup' profile group |
# 'timeslot' time of slot to process: Format yyyymmddHHMM e.g. 200503031200 |
sub run { |
my $argref = shift; |
my $profile = $$argref{'profile'}; |
my $profilegroup = $$argref{'profilegroup'}; |
my $timeslot = $$argref{'timeslot'}; |
syslog('debug', "PortTracker run: Profile: $profile, Time: $timeslot"); |
my %profileinfo = NfProfile::ReadProfile($profile); |
my $netflow_sources = "$PROFILEDATADIR/$profile/$profileinfo{'sourcelist'}"; |
# |
# process all sources of this profile at once |
my $command = "$nftrack -L $NfConf::syslog_facility -M $netflow_sources -r nfcapd.$timeslot -d $PORTSDBDIR -A -t $timeslot -s -p -w $PORTSDBDIR/portstat.txt"; |
nftrack_execute($command); |
$command = "$nftrack -d $PORTSDBDIR -S -p -w $PORTSDBDIR/portstat24.txt"; |
nftrack_execute($command); |
# |
# Process the output and notify the duty team |
syslog('debug', "PortTracker run: Done."); |
} # End of run |
sub Init { |
syslog("info", "PortTracker: Init"); |
# Init some vars |
$nftrack = "$NfConf::PREFIX/nftrack"; |
$PROFILEDATADIR = "$NfConf::PROFILEDATADIR"; |
return 1; |
} |
sub Cleanup { |
syslog("info", "PortTracker Cleanup"); |
# not used here |
} |
1; |