Install & configure nfdump with nfsen on Ubuntu server 10.04

Install & configure nfdump with nfsen on Ubuntu server 10.04

This was done using Ubuntu server 10.04 although everything is compiled from source so the commands should be very similar on any linux box. There are also example configs for Cisco ASA 8.2 near the bottom of the post.

I was looking for a netflow collector/analyser that would accept v9 flows from Cisco ASA devices. These devices create v9 "NetFlow Security Event Logging" (NSEL) flows which can include information about security events in addition to the traditional v5 flow info. Luckly there is a specific NSEL version of nfdump that still works with the web based gui nfsen. The original (non NSEL) version of nfdump doesnt support v9 flows at the time of writting. If you dont need v9 support you arent restricted to the NSEL version.

Download, extract, compile and install rrdtool from source. This will install rrdtool to /usr/local/rrdtool obviously change this to your preference.

cd /tmp
tar xzfv rrdtool.tar.gz
cd rrdtool-1.4.5/
./configure -prefix=/usr/local/rrdtool -disable-tcl
sudo make install

Now we grab the nfdump source, compile it with nfprofile support thats required by nfsen and install it.

cd /tmp
cd nfdump-1.5.8-NSEL/
./configure --with-rrdpath=/usr/local/rrdtool --with-ftpath=source --enable-nfprofile
sudo make install

Now to get the nfsen source and extract it

cd /tmp
tar xzf nfsen-1.3.5.tar.gz
cd nfsen-1.3.5

Before we can install it we need to add a user for nfsen to run as and configure some parameters in the nfsen-dist.conf file. Or you can use an existing user e.g. www-data and skip this step using the appropriate user substituted in the following steps. (thanks to Rafael Fonseca for this suggestion via his comment below)

sudo useradd nfsen
vi etc/nfsen-dist.conf

Now we need to change the config to reflect the changes below.

$BASEDIR = "/usr/local/nfsen";
$HTMLDIR    = "/var/www/nfsen/";
$USER    = "nfsen";
$WWWUSER  = "nfsen";
$WWWGROUP = "nfsen";

%sources = (
'm00nies-ASA'    => { 'port' => '2055', 'col' => '#000fff', 'type' => 'netflow' },
'Another-ASA'        => { 'port' => '2056', 'col' => '#0000ff', 'type' => 'netflow' },
'An-IOS-netflow-source' => { 'port' => '2057', 'col' => '#00000f', 'type' => 'netflow' }

Change the sources to your own name instead of MY_ASA and the port you configured the device to send to. Notice each source has its own unique port to send to and non NSEL sources are configured in the same way. Now save the file. Then install and start nfsen with the following command.

sudo ./ etc/nfsen-dist.conf
sudo chown -R nfsen /usr/local/nfsen
sudo /usr/local/nfsen/bin/nfsen start

Tail the syslog file to check for errors: sudo tail -f /var/log/messages
By default the template is only sent from a Cisco ASA every 30 mins so grab a coffee until nfsen can make sense of the flows.

nfsen should now be accesable via http://MYSERVER/nfsen/nfsen.php if you get a nfsen permission error check the nfsen user has permission to use the socket at /usr/local/nfsen/var/run/nfsen.comm

Cisco ASA netflow config

access-list NETFLOW extended permit ip any any
class-map NetFlow-traffic
match access-list NETFLOW
policy-map global_policy
class NetFlow-traffic
flow-export event-type all destination
flow-export destination Outside 2055
! Configure how often templates are sent in minutes 30 is default
flow-export delay flow-create 30

Check the ASA is exporting flows

m00nies-ASA# show flow-export counters

destination: Outside 2055
packets sent                                          1077495
block allocation failure                                    0
invalid interface                                           0
template send failure                                       0

m00nie :)