Packetwatch.net

NfSen in Red Hat Enterprise Linux



Last modified: Sept. 2, 2011

Contents
1 - Summary
2 - Dependencies
3 - NfSen installation
4 - Service configuration
5 - View status on website
6 - Service check


1 - Summary

This guide will show you how to install nfsen in Red Hat Enterprise Linux.
NfSen is used to display and query netflow data. In this guide, nfsen will be
installed and served by apache so information can be viewed in a web browser.
This has been tested in Red Hat Enterprise Linux 5 x86_64.


2 - Dependencies

Add the EPEL repository. This repository contains extra packages from Red Hat.
# wget http://download.fedora.redhat.com/pub/epel/$rel/$arch/epel-release-$ver.noarch.rpm
# sudo rpm -ivh epel-release-$ver.noarch.rpm
[sudo] password for user:
# rm -f epel-release-$ver.noarch.rpm

Install the apache package. Apache is a web server that will host the web pages
that display the netflow data.
# sudo yum install httpd.x86_64
[sudo] password for user:

Find where the apache daemon was installed to.
# rpm -ql httpd-* | grep sbin
/usr/sbin/apachectl
/usr/sbin/htcacheclean
/usr/sbin/httpd
/usr/sbin/httpd.event
/usr/sbin/httpd.worker
/usr/sbin/httxt2dbm
/usr/sbin/rotatelogs
/usr/sbin/suexec

Enable the apache service so that it will start when the system starts up.
# sudo /sbin/chkconfig httpd on
[sudo] password for user:
# sudo /sbin/chkconfig --list httpd
[sudo] password for user:
httpd           0:off   1:off   2:on    3:on    4:on    5:on    6:off

Find where the configuration file should be put.
# rpm -ql httpd-* | grep init.d
/etc/rc.d/init.d/httpd
# grep httpd.conf /etc/rc.d/init.d/httpd
# config: /etc/httpd/conf/httpd.conf
        CONFFILE=/etc/httpd/conf/httpd.conf
# strings /usr/sbin/httpd | grep httpd.conf
-D SERVER_CONFIG_FILE="conf/httpd.conf"
conf/httpd.conf
        directive in your httpd.conf file to list a non-root

You will need to modify the original configuration file. Add the following. In
this example, I set the websites to be stored in an alernate directory. By the
way, there is already a group named it which includes an account for the web
developers.
  ServerName server.test.com
  DocumentRoot "/data/websites/test/server"
  ErrorLog syslog
  LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" commonvhost
  CustomLog "|/usr/bin/logger" commonvhost
  #Alias /icons/ "/var/www/icons/"
  #<Directory "/var/www/icons">
  #    Options Indexes MultiViews
  #    AllowOverride None
  #    Order allow,deny
  #    Allow from all
  #</Directory>
  #ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
  #<Directory "/var/www/cgi-bin">
  #    AllowOverride None
  #    Options None
  #    Order allow,deny
  #    Allow from all
  #</Directory>
  #Alias /error/ "/var/www/error/"
  ErrorDocument 404 /index.html
  NameVirtualHost *:80
  NameVirtualHost *:443
  <VirtualHost *:80>
          ServerName server.test.com
          Redirect / https://server.test.com/
  </VirtualHost>
  <VirtualHost *:443>
          ServerName server.test.com
          ServerAdmin root@localhost
          DocumentRoot /data/websites/test/server
  </VirtualHost>
# rpm -ql httpd-* | grep "httpd\.conf"
/etc/httpd/conf/httpd.conf
# sudo cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.example
[sudo] password for user:
# sudo vi /etc/httpd/conf/httpd.conf
[sudo] password for user:
# sudo mkdir -p /data/websites/test/server
[sudo] password for user:
# sudo mkdir -p /data/logs/httpd
[sudo] password for user:
# sudo chown -R root:it /data/logs/httpd/
[sudo] password for user:

Install the mod_ssl package for SSL certificate support. Copy in the SSL
certificate files to /etc/httpd/ssl/.
# sudo yum install mod_ssl.x86_64
[sudo] password for user:
# sudo mkdir /etc/httpd/ssl/
[sudo] password for user:
You will need to modify the original configuration file. Add the following.
  #SSLPassPhraseDialog  builtin
  ErrorLog syslog
  SSLCertificateFile /etc/httpd/ssl/test.cer
  SSLCertificateKeyFile /etc/httpd/ssl/test.key.alt
  SSLCertificateChainFile /etc/httpd/ssl/test.crt
# rpm -ql mod_ssl-* | grep conf.d
/etc/httpd/conf.d/ssl.conf
# sudo cp /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.example
[sudo] password for user:
# sudo vi /etc/httpd/conf.d/ssl.conf
[sudo] password for user:
Create an index file.
  <html>
  <head>
  <title>Test: Network monitoring</title>
  </head>
  <body>
  <a href="https://server.test.com/nfsen/">Netflow information - NfSen</a><br>
  </body>
  </html>
# sudo vi /data/websites/test/server/index.html
[sudo] password for user:

Configure syslog appropriately.

Install the php package. The php version has to be at least 4.1.
# sudo yum install php.x86_64
[sudo] password for user:
# rpm -ql php-cli-* | grep bin | grep php
/usr/bin/php
/usr/bin/php-cgi
# /usr/bin/php -v | grep built
PHP 5.1.6 (cli) (built: Nov 13 2010 16:05:12) 
# sudo rpm -ql php-common-* | grep php.ini
[sudo] password for user:
/etc/php.ini
# sudo cp /etc/php.ini /etc/php.ini.example
[sudo] password for user:
You will need to modify the original configuration file. Have the following.
By the way, we already have a group named it which includes an account for the
web developers.
  error_reporting  =  E_ALL & ~E_NOTICE
  log_errors_max_len = 0
  error_log = /data/logs/php/errors.log
# sudo vi /etc/php.ini
[sudo] password for user:
# sudo mkdir /data/logs/php
[sudo] password for user:
# sudo touch /data/logs/php/errors.log
[sudo] password for user:
# sudo chown -R root:it /data/logs/php/
[sudo] password for user:
# sudo chmod -R 777 /data/logs/php/
[sudo] password for user:

Install the perl package. The perl version has to be at least 5.6.0.
# sudo yum install perl.x86_64
[sudo] password for user:
# rpm -ql perl-* | grep bin | grep perl
/usr/bin/find2perl
/usr/bin/perl
/usr/bin/perl5.8.8
/usr/bin/perlbug
/usr/bin/perlcc
/usr/bin/perldoc
/usr/bin/perlivp
/usr/lib/perl5/5.8.8/unicore/CombiningClass.pl
/usr/lib/perl5/5.8.8/unicore/lib/gc_sc/InCombin.pl
# /usr/bin/perl -v | grep -i built
This is perl, v5.8.8 built for x86_64-linux-thread-multi

Install the following perl modules.
# sudo yum install perl-TimeDate
[sudo] password for user: 
# sudo yum install perl-Pod-Escapes
[sudo] password for user: 
# sudo yum install perl-Pod-Simple
[sudo] password for user: 
# sudo yum install perl-Test-Pod
[sudo] password for user: 
# sudo yum install perl-MailTools
[sudo] password for user: 

Install the rrdtool packages.
# sudo yum install libdbi.x86_64
[sudo] password for user: 
# sudo yum install lua.x86_64
[sudo] password for user: 
# sudo yum install mysql-server.x86_64
[sudo] password for user: 
# sudo /sbin/chkconfig mysqld off
[sudo] password for user: 
# sudo yum install net-snmp-utils.x86_64
[sudo] password for user: 
# mkdir nfsen
# cd nfsen/
# wget http://apt.sw.be/redhat/$rel/$lang/$arch/dag/RPMS/perl-rrdtool-$ver.$rel.rf.$arch.rpm
# sudo rpm -ivh --nodeps perl-rrdtool-$ver.$rel.rf.$arch.rpm 
[sudo] password for user: 
# sudo yum install ruby.x86_64
[sudo] password for user: 
# wget http://apt.sw.be/redhat/$rel/$lang/$arch/dag/RPMS/rrdtool-$ver.$rel.rf.$arch.rpm
# sudo rpm -ivh rrdtool-$ver.$rel.rf.$arch.rpm 
[sudo] password for user: 
# wget http://apt.sw.be/redhat/$rel/$lang/$arch/dag/RPMS/rrdtool-devel-$ver.$rel.rf.$arch.rpm
# sudo rpm -ivh rrdtool-devel-$ver.$rel.rf.$arch.rpm 
[sudo] password for user: 

Download, compile and install the nfdump application. It can be downloaded at
http://nfdump.sourceforge.net/.
# wget http://$mirror.sourceforge.net/project/nfdump/stable/nfdump-$ver/nfdump-$ver.tar.gz
# tar -zxvf nfdump-$ver.tar.gz
# cd nfdump-$ver/
# ./configure --enable-nfprofile
# make
# sudo make install
[sudo] password for user:
# sudo make clean
[sudo] password for user:
# cd ..


3 - NfSen installation

Dowload the nfsen application and extract it. It can be downloaded at
http://nfsen.sourceforge.net/.
# wget http://$mirror.sourceforge.net/project/nfsen/stable/nfsen-$ver/nfsen-$ver.tar.gz
# tar -zxvf nfsen-$ver.tar.gz
# cd nfsen-$ver/

You can modify the configuration file. Have the following.
  $BASEDIR = "/usr/local";
  $HTMLDIR    = "/var/www/html/nfsen/";
  $VARDIR="/data/monitoring/nfsen";
  $PROFILESTATDIR="${VARDIR}/profiles-stat";
  $PROFILEDATADIR="${VARDIR}/profiles-data";
  $USER    = "nfsen";
  $WWWUSER  = "apache";
  $WWWGROUP = "apache";
  %sources = (
      'core_router_location1'   => { 'port' => '9991', 'col' => '#ff0000' },
      'core_router_location2'   => { 'port' => '9992', 'col' => '#008000' },
      'core_router_location3'   => { 'port' => '9993', 'col' => '#0000ff' },
  );
  $MAIL_FROM   = 'noreply@test.com';
  $SMTP_SERVER = 'mail.test.com';
# cd nfsen-$ver/
# cp etc/nfsen-dist.conf etc/nfsen.conf
# vi etc/nfsen.conf
# sudo mkdir -p /data/monitoring/nfsen
[sudo] password for user:

Modify the install.pl file to include the following. This is around line 200.
          my @out = `$NfConf::PREFIX/nfdump -V`;
  #       if ( scalar @out != 2 ) {
  #               die "Error getting nfdump version";
  #       }
# vi install.pl

Create a user named nfsen.
# sudo /usr/sbin/useradd -c 'NfSen' -d / -g apache -M -s /sbin/nologin nfsen
[sudo] password for user:

Install the nfsen application.
# sudo ./install.pl etc/nfsen.conf
[sudo] password for user:
# cd ~


4 - Service configuration

Find where the nfsen application was installed to.
# grep -E "(\$BASEDIR|\$BINDIR)" nfsen/nfsen-$ver/etc/nfsen.conf | grep -v ^#
$BASEDIR = "/usr/local";
$BINDIR="${BASEDIR}/bin";
# ls -1 /usr/local/bin/nfsen
/usr/local/bin/nfsen

Enable the nfsen service so that it will start when the system starts up. Here
is a script I created to start and stop the nfsen daemon.
  #!/bin/bash

  # chkconfig: - 50 50
  # description: nfsen

  DAEMON=/usr/local/bin/nfsen

  case "$1" in
          start)
                  $DAEMON start
                  ;;
          stop)
                  $DAEMON stop
                  ;;
          status)
                  $DAEMON status
                  ;;
          restart)
                  $DAEMON stop
                  $DAEMON start
                  ;;
          *)
                  echo "Usage: $0 {start|stop|status|restart}"
                  exit 1
                  ;;
  esac
# sudo vi /etc/rc.d/init.d/nfsen
[sudo] password for user:
# sudo chmod 755 /etc/rc.d/init.d/nfsen
[sudo] password for user:
# sudo /sbin/chkconfig --add nfsen
[sudo] password for user:
# sudo /sbin/chkconfig nfsen on
[sudo] password for user:
# sudo /sbin/chkconfig --list nfsen
[sudo] password for user:
nfsen           0:off   1:off   2:on    3:on    4:on    5:on    6:off

Find where the configuration was installed to.
# grep -E "(\$BASEDIR|\$CONFDIR)" nfsen/nfsen-$ver/etc/nfsen.conf | grep -v ^#
$BASEDIR = "/usr/local";
$CONFDIR="${BASEDIR}/etc";
# ls -1 /usr/local/etc/nfsen.conf
/usr/local/etc/nfsen.conf

You will need to modify the original configuration file. Have the following.
  $HTMLDIR    = "/data/websites/test/server/nfsen/";
# sudo cp /usr/local/etc/nfsen.conf /usr/local/etc/nfsen.conf.example
[sudo] password for user:
# sudo vi /usr/local/etc/nfsen.conf
[sudo] password for user:
# sudo mkdir /data/logs/nfcapd/
[sudo] password for user:
# sudo mkdir /data/logs/nfsen/
[sudo] password for user:
# sudo chown -R root:it /data/logs/nfcapd/
[sudo] password for user:
# sudo chown -R root:it /data/logs/nfsen/
[sudo] password for user:

You will need to create a configuration file for nfsen used by apache. Have the
following.
  Alias /nfsen/ "/data/websites/test/server/nfsen/"
  <Directory "/data/websites/test/server/nfsen">
      AuthType Basic
      AuthName "Restricted"
      AuthUserFile /etc/httpd/conf/htaccounts
      Require user Administrator
      DirectoryIndex nfsen.php
      AllowOverride None
      Options None
      Order allow,deny
      Allow from all
  </Directory>
# rpm -ql httpd-* | grep conf.d
/etc/httpd/conf.d
/etc/httpd/conf.d/README
/etc/httpd/conf.d/proxy_ajp.conf
/etc/httpd/conf.d/welcome.conf
# sudo vi /etc/httpd/conf.d/nfsen.conf
[sudo] password for user:

Create a user account using htpasswd that will be allowed to view the netflow
information.
# rpm -ql httpd-* | grep htpasswd
/usr/bin/htpasswd
/usr/share/man/man1/htpasswd.1.gz
# sudo /usr/bin/htpasswd -c -s /etc/httpd/conf/htaccounts Administrator
[sudo] password for user:
New password: ********
Re-type new password: ********
Adding password for user Administrator

Copy the nfsen web directory and set ownership and permissions. By the way,
there is already a group named it which includes an account for the web developers.
# grep "\$HTMLDIR" nfsen/nfsen-$ver/etc/nfsen.conf
$HTMLDIR    = "/var/www/html/nfsen/";
# rm -fr nfsen/
# sudo cp -Rp /var/www/nfsen/ /data/websites/test/server/nfsen/
[sudo] password for user:
# sudo chown -R apache:it /data/websites/test/server/nfsen/
[sudo] password for user:
# sudo chmod -R 774 /data/websites/test/server/nfsen/
[sudo] password for user:

You will need to configure SELinux appropriately. SELinux status can be
found by running sestatus.
# sudo /usr/sbin/sestatus | grep status:
[sudo] password for user:
SELinux status:                 enabled

Before starting the server, make sure that tcp ports 80, 443 and udp ports 9991,
9992, and 9993 are open in case you are running firewall software. Here are
some sample rules.
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
  -A RH-Firewall-1-INPUT -p udp -m udp --dport 9991 -j ACCEPT
  -A RH-Firewall-1-INPUT -p udp -m udp --dport 9992 -j ACCEPT
  -A RH-Firewall-1-INPUT -p udp -m udp --dport 9993 -j ACCEPT
# sudo /sbin/service iptables stop
[sudo] password for user:
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: filter                    [  OK  ]
Unloading iptables modules:                                [  OK  ]
# sudo cp /etc/sysconfig/iptables /etc/sysconfig/iptables.previous
[sudo] password for user:
# sudo vi /etc/sysconfig/iptables
[sudo] password for user:
# sudo /sbin/service iptables start
[sudo] password for user:
Applying iptables firewall rules:                          [  OK  ]
Loading additional iptables modules: ip_conntrack_netbios_n[  OK  ]

Start the apache service.
# sudo /sbin/service httpd start
[sudo] password for user:
Starting httpd: [  OK  ]

Start the nfsen service.
# sudo /sbin/service nfsen start
[sudo] password for user:
Starting nfcapd:(core_router_location1)[12989] (core_router_location3)[12992] 
(core_router_location2)[12995] 
Starting nfsend.
# sudo /sbin/service nfsen status
[sudo] password for user:
NfSen version: version
NfSen status:
Collector for (core_router_location1) port 9991 is running [12989].
Collector for (core_router_location3) port 9993 is running [12992].
Collector for (core_router_location2) port 9992 is running [12995].
nfsen daemon:  pid: [12997] is running.


5 - View status on website

Navigate your web browser to https://server.test.com/. Click on the link for
Netflow information - NfSen. After you login, you will see a screen showing a
summary of the netflow data.


6 - Service check

Reboot your computer. Log in like normal and check to see that the httpd and
nfsen services are running. That's it, now you have nfsen running in Red Hat
Enterprise Linux.
# sudo /sbin/shutdown -r now
Password:
# sudo /sbin/service httpd status
Password:
httpd (pid  3106) is running...
# sudo /sbin/service nfsen status
Password:
NfSen version: version
NfSen status:
Collector for (core_router_location1) port 9991 is running [2993].
Collector for (core_router_location3) port 9993 is running [2996].
Collector for (core_router_location2) port 9992 is running [2999].
nfsen daemon:  pid: [3001] is running.


Last modified: Thu Jan 1 00:00:00 1970 UTC
Packetwatch Research 2002-2017.