# 2013-04-10 # # This has been tested on CentOS 6.3 barebones server build. # It should work well on most RHEL or CentOS OS's. # # Note: even though this install script looks like it could do a full install in one # swoop, there is no error checking! You should be running these commands one-at-a-time # or in small batches. ####### installation ######## # # If you haven't already, gunzip and untar the distribution and change into its root directory # cd ~ gunzip -c wvnetflow-1.07.tar.gz | tar -xf - cd ~/wvnetflow-1.07 # # Install prerequisite modules with YUM # yum --assumeyes install rsyslog gcc byacc libtool make patch zlib-devel httpd rrdtool-perl perl-GD perl-Net-DNS # # Install cpanminus and needed Perl modules # wget -O - http://cpanmin.us | perl - --self-upgrade cpanm Net::SNMP Spreadsheet::WriteExcel Net::Patricia # # Install the flowd collector. # Webview uses a fork of the flowd source with improvements for logging and sequence number handling # (see http://code.google.com/r/cweinhold-flowd-sequence for more information). # cd ~/wvnetflow-1.07 wget http://iweb.dl.sourceforge.net/project/wvnetflow/flowd-sequence/cweinhold-flowd-sequence.tar.gz gunzip -c cweinhold-flowd-sequence.tar.gz | tar -xf - cd cweinhold-flowd-sequence ./configure make install mkdir -p /var/empty/dev groupadd _flowd useradd -g _flowd -c "flowd privsep" -d /var/empty _flowd # # Install flow-tools and Cflow.pm. # This requires building from the flow-tools fork at https://code.google.com/p/flow-tools/. # (the relative directory structure for the next few steps is very important!) # cd ~/wvnetflow-1.07 wget https://flow-tools.googlecode.com/files/flow-tools-0.68.5.1.tar.bz2 bzcat flow-tools-0.68.5.1.tar.bz2 | tar -xf - cd flow-tools-0.68.5.1/ patch -p1 <../optional-accessories/flow-tools-patches/patch.flow-tools.scan-and-hash CC='gcc -fPIC' ./configure make make install # (on 32-bit systems, remove the "-fPIC" option above) cd lib ln -s /usr/local/flow-tools/lib/libft.a libft.a cd ../contrib wget http://net.doit.wisc.edu/~plonka/Cflow/Cflow-1.053.tar.gz gunzip -c Cflow-1.053.tar.gz | tar -xf - cd Cflow-1.053 perl Makefile.PL make make test make install # (difficulties with this last chunk? see https://code.google.com/p/flow-tools/issues/detail?id=1) # # Set up rsyslogd -- first, add socket listener for flowd chroot log file: # sed -i.bak -e '/GLOBAL DIRECTIVES/i $AddUnixListenSocket /var/empty/dev/log\n' /etc/rsyslog.conf # # Set up rsyslogd -- second, add a /etc/rsyslog.d conf file sending flowd data to /var/log/flowd # cat </etc/rsyslog.d/40-flowd.conf # set file permissions \$umask 0000 \$FileCreateMode 0644 # log daemon traffic from flowd to its own file :programname, isequal, "flowd" /var/log/flowd :programname, isequal, "flowd" ~ EOT # # Set up rsyslogd -- third, change selinux settings for the rsyslog init script (or else it won't be able to watch the flowd log socket) # chcon -t etc_t /etc/init.d/rsyslog # # Set up rsyslogd -- lastly, restart the service # service rsyslog restart # # create directories and install files # cd ~/wvnetflow-1.07 mkdir -p /opt/netflow/tmp /opt/netflow/data /opt/netflow/cache /opt/netflow/capture /usr/local/webview cp -Rp flowage www utils /usr/local/webview cp etc/webview.conf /etc chmod 777 /usr/local/webview/www/flow/graphs # # set selinux permissions for CGI scripts # chcon -t httpd_sys_script_exec_t /usr/local/webview/www/flow/*.cgi # # set up flowd init script # cp etc/flowd-2055.conf /usr/local/etc/ cp etc/init.d/flowd-centos /etc/init.d/flowd chmod 755 /etc/init.d/flowd ln -s /etc/init.d/flowd /etc/init.d/flowd-2055 chkconfig --add flowd-2055 service flowd-2055 start # (Note that multiple flowd init scripts and config files can coexist. The # "-number" is the port number of the listener. It's good form to use a different # listener port for each type of collection -- e.g., MPLS WAN routers might use # port 2055, while outside internet routers could use 2056 and data center # switches could use 2057). # # set up iptables to allow incoming web (tcp 80) and netflow (udp 2055) # iptables -I INPUT -p udp --dport 2055 -j ACCEPT iptables -I INPUT -p tcp --dport 80 -j ACCEPT service iptables save # # modify crontab # crontab -l > /tmp/newcron cat <>/tmp/newcron # every hour, keep the capture directory within bounds. This script logs to /var/log/flow-expire.log 0 * * * * /usr/local/webview/utils/flow-expire-perl -E 10G -e 9000 -w /opt/netflow/capture/2055 # every 5 minutes, run flowd2ft to convert flowd capture into flow-tools format in the capture directory */5 * * * * /usr/local/webview/utils/flowd2ft 2055 >> /var/log/flowd2ft-2055.log 2>&1 # run flowage.pl every five minutes # DISABLED RIGHT NOW; ENABLE LATER #*/5 * * * * perl /usr/local/webview/flowage/flowage.pl > /tmp/flowage.stdout 2> /tmp/flowage.stderr # expire exporter summary files after two weeks 0 0 * * * find /opt/netflow/capture -name 'summary-*' -mtime +14 -exec rm -f {} \; # expire unused RRD files after 30 days 0 2 * * * find /opt/netflow/capture -name '*.rrd' -mtime +30 -exec rm -f {} \; 15 2 * * * find /opt/netflow/capture -depth -type d -empty -exec rmdir {} \; # every 15 minutes, run monFlows.pl to check on the health of the flowage processes # DISABLED RIGHT NOW; ENABLE LATER #*/15 * * * * /usr/local/webview/flowage/monitor/monFlows.pl >> /var/log/monFlows.log 2>&1 # every monday, archive the various log files (you can instead use logrotate 0 0 1 * * /usr/local/bin/sudo mv -f /var/log/flow-expire.log /var/log/flow-expire.old 0 0 1 * * /usr/local/bin/sudo mv -f /var/log/flowd2ft-2055.log /var/log/flowd2ft-2055.old 0 0 1 * * /usr/local/bin/sudo mv -f /var/log/monFlows.log /var/log/monFlows.old EOT crontab /tmp/newcron # # set up web server # sed -i.bak -e'/UserDir: The name/ i\ Alias /webview "/usr/local/webview/www"\ \ \ Options Indexes Includes FollowSymLinks ExecCGI\ order allow,deny\ SetEnv no-gzip 1\ allow from all\ \ \ AddHandler cgi-script .cgi\ ' /etc/httpd/conf/httpd.conf service httpd restart ####### validation steps ######## # check if flowd is running ps -fC flowd # check that flows are being received ls -lR /dev/shm/ # check that flow files are being moved to the capture directory ls -lR /opt/netflow/capture/ # view iptables rule list -- make sure port 2055 is seeing traffic iptables -L INPUT -v # make sure web server is running service httpd status # once you're sure you have flow data in the capture directory, run one of the web scripts wget -O - 'http://127.0.0.1/webview/flow/adhoc.cgi?quiet=1&test=1&output=ascii' # if that looks works (you see some IP addresses in the output), run flowage once from the CLI /usr/local/webview/flowage/flowage.pl # if that looks good (you see flow files being processed and rrd files be created), then uncomment # the */5 flowage crontab entry and you're all set!