May 24, 2011

Install & configure nfdump with nfsen on Ubuntu server 10.04

NFSEN

This was done using Ubuntu server 10.04 although everything is compiled from source so the commands should be very similar on any linux box. There are also example configs for Cisco ASA 8.2 near the bottom of the post.

I was looking for a netflow collector/analyser that would accept v9 flows from Cisco ASA devices. These devices create v9 "NetFlow Security Event Logging" (NSEL) flows which can include information about security events in addition to the traditional v5 flow info. Luckly there is a specific NSEL version of nfdump that still works with the web based gui nfsen. The original (non NSEL) version of nfdump doesnt support v9 flows at the time of writting. If you dont need v9 support you arent restricted to the NSEL version.

Download, extract, compile and install rrdtool from source. This will install rrdtool to /usr/local/rrdtool obviously change this to your preference.

cd /tmp wget http://oss.oetiker.ch/rrdtool/pub/rrdtool.tar.gz tar xzfv rrdtool.tar.gz cd rrdtool-1.4.5/ ./configure -prefix=/usr/local/rrdtool -disable-tcl make sudo make install
Now we grab the nfdump source, compile it with nfprofile support thats required by nfsen and install it.
cd /tmp wget http://sourceforge.net/projects/nfdump/files/nsel/nfdump-1.5.8-NSEL/nfdump-1.5.8-NSEL.tar.gz/download cd nfdump-1.5.8-NSEL/ ./configure --with-rrdpath=/usr/local/rrdtool --with-ftpath=source --enable-nfprofile make sudo make install
Now to get the nfsen source and extract it
cd /tmp wget http://sourceforge.net/projects/nfsen/files/stable/nfsen-1.3.5/nfsen-1.3.5.tar.gz/download tar xzf nfsen-1.3.5.tar.gz cd nfsen-1.3.5
Before we can install it we need to add a user for nfsen to run as and configure some parameters in the nfsen-dist.conf file. Or you can use an existing user e.g. www-data and skip this step using the appropriate user substituted in the following steps. (thanks to Rafael Fonseca for this suggestion via his comment below)
sudo useradd nfsen vi etc/nfsen-dist.conf
Now we need to change the config to reflect the changes below.
$BASEDIR = "/usr/local/nfsen"; $HTMLDIR    = "/var/www/nfsen/"; $USER = "nfsen"; $WWWUSER = "nfsen"; $WWWGROUP = "nfsen";

%sources = (
'm00nies-ASA' => { 'port' => '2055', 'col' => '#000fff', 'type' => 'netflow' },
'Another-ASA' => { 'port' => '2056', 'col' => '#0000ff', 'type' => 'netflow' },
'An-IOS-netflow-source' => { 'port' => '2057', 'col' => '#00000f', 'type' => 'netflow' }


Change the sources to your own name instead of MY_ASA and the port you configured the device to send to. Notice each source has its own unique port to send to and non NSEL sources are configured in the same way. Now save the file. Then install and start nfsen with the following command.

sudo ./install.pl etc/nfsen-dist.conf sudo chown -R nfsen /usr/local/nfsen sudo /usr/local/nfsen/bin/nfsen start
Tail the syslog file to check for errors.
sudo tail -f /var/log/messages
By default the template is only sent from a Cisco ASA every 30 mins so grab a coffee until nfsen can make sense of the flows.

nfsen should now be accesable via http://MYSERVER/nfsen/nfsen.php if you get a nfsen permission error check the nfsen user has permission to use the socket at /usr/local/nfsen/var/run/nfsen.comm

Cisco ASA netflow config

access-list NETFLOW extended permit ip any any ! class-map NetFlow-traffic match access-list NETFLOW ! ! policy-map global_policy class NetFlow-traffic flow-export event-type all destination 10.1.1.3 ! ! flow-export destination Outside 10.1.1.3 2055 ! ! Configure how often templates are sent in minutes 30 is default ! flow-export delay flow-create 30
Check the ASA is exporting flows
m00nies-ASA# show flow-export counters

destination: Outside 10.1.1.3 2055
Statistics:
packets sent 1077495
Errors:
block allocation failure 0
invalid interface 0
template send failure 0


m00nie :)