# 2013-04-10 # # This has been tested on ubuntu 12.04.2 LTS # It should work well on most ubuntu or debian releases # # Note: even though this install script looks like it could do a full install in one # swoop, there is no error checking! You should be running these commands one-at-a-time # or in small batches. ####### installation ######## # # If you haven't already, gunzip and untar the distribution and change into its root directory # cd ~ gunzip -c wvnetflow-1.07.tar.gz | tar -xf - cd ~/wvnetflow-1.07 # # Install prerequisite modules with apt-get # apt-get update apt-get --assume-yes install apache2 rrdtool libnet-snmp-perl libnet-patricia-perl libnet-dns-perl libspreadsheet-writeexcel-perl libcflow-perl librrds-perl libgd-gd2-perl build-essential byacc libtool automake apt-get --assume-yes install zlib1g-dev apt-get --assume-yes install zlib-devel # (one of the zlib lines will fail, depending on which ubuntu version you have) # # Install the flowd collector. # Webview uses a fork of the flowd source with improvements for logging and sequence number handling # (see http://code.google.com/r/cweinhold-flowd-sequence for more information). # cd ~/wvnetflow-1.07 wget http://iweb.dl.sourceforge.net/project/wvnetflow/flowd-sequence/cweinhold-flowd-sequence.tar.gz gunzip -c cweinhold-flowd-sequence.tar.gz | tar -xf - cd cweinhold-flowd-sequence ./configure make install mkdir -p /var/empty/dev groupadd _flowd useradd -g _flowd -c "flowd privsep" -d /var/empty _flowd # # Install flow-tools and Cflow.pm. # This requires building from the flow-tools fork at https://code.google.com/p/flow-tools/. # (the relative directory structure for the next few steps is very important!) # cd ~/wvnetflow-1.07 wget https://flow-tools.googlecode.com/files/flow-tools- bzcat flow-tools- | tar -xf - cd flow-tools- patch -p1 <../optional-accessories/flow-tools-patches/patch.flow-tools.scan-and-hash ./configure make make install # # Set up rsyslogd -- first, add socket listener for flowd chroot log file: # sed -i.bak -e '/GLOBAL DIRECTIVES/i $AddUnixListenSocket /var/empty/dev/log\n' /etc/rsyslog.conf # # Set up rsyslogd -- second, add a /etc/rsyslog.d conf file sending flowd data to /var/log/flowd # cat </etc/rsyslog.d/40-flowd.conf # set file permissions \$umask 0000 \$FileCreateMode 0644 # log daemon traffic from flowd to its own file :programname, isequal, "flowd" /var/log/flowd :programname, isequal, "flowd" ~ EOT # # Set up rsyslogd -- lastly, restart the service # service rsyslog restart # # create directories and install files # cd ~/wvnetflow-1.07 mkdir -p /opt/netflow/tmp /opt/netflow/data /opt/netflow/cache /opt/netflow/capture /usr/local/webview cp -Rp flowage www utils /usr/local/webview cp etc/webview.conf /etc chmod 777 /usr/local/webview/www/flow/graphs # # set up flowd init script # cd ~/wvnetflow-1.07 cp etc/flowd-2055.conf /usr/local/etc/ cp etc/init.d/flowd-ubuntu /etc/init.d/flowd chmod 755 /etc/init.d/flowd ln -s /etc/init.d/flowd /etc/init.d/flowd-2055 update-rc.d flowd-2055 defaults service flowd-2055 start # (Note that multiple flowd init scripts and config files can coexist. The # "-number" is the port number of the listener. It's good form to use a different # listener port for each type of collection -- e.g., MPLS WAN routers might use # port 2055, while outside internet routers could use 2056 and data center # switches could use 2057). # # modify crontab # crontab -l > /tmp/newcron cat <>/tmp/newcron # every hour, keep the capture directory within bounds. This script logs to /var/log/flow-expire.log 0 * * * * /usr/local/webview/utils/flow-expire-perl -E 10G -e 9000 -w /opt/netflow/capture/2055 # every 5 minutes, run flowd2ft to convert flowd capture into flow-tools format in the capture directory */5 * * * * /usr/local/webview/utils/flowd2ft 2055 >> /var/log/flowd2ft-2055.log 2>&1 # run flowage.pl every five minutes # DISABLED RIGHT NOW; ENABLE LATER #*/5 * * * * perl /usr/local/webview/flowage/flowage.pl > /tmp/flowage.stdout 2> /tmp/flowage.stderr # expire exporter summary files after two weeks 0 0 * * * find /opt/netflow/capture -name 'summary-*' -mtime +14 -exec rm -f {} \; # expire unused RRD files after 30 days 0 2 * * * find /opt/netflow/capture -name '*.rrd' -mtime +30 -exec rm -f {} \; 15 2 * * * find /opt/netflow/capture -depth -type d -empty -exec rmdir {} \; # every 15 minutes, run monFlows.pl to check on the health of the flowage processes # DISABLED RIGHT NOW; ENABLE LATER #*/15 * * * * /usr/local/webview/flowage/monitor/monFlows.pl >> /var/log/monFlows.log 2>&1 # every monday, archive the various log files (you can instead use logrotate 0 0 1 * * /usr/local/bin/sudo mv -f /var/log/flow-expire.log /var/log/flow-expire.old 0 0 1 * * /usr/local/bin/sudo mv -f /var/log/flowd2ft-2055.log /var/log/flowd2ft-2055.old 0 0 1 * * /usr/local/bin/sudo mv -f /var/log/monFlows.log /var/log/monFlows.old EOT crontab /tmp/newcron # # set up web server # sed -i.bak -e'/<\/VirtualHost>/ i\ Alias /webview "/usr/local/webview/www"\ \ \ Options Indexes Includes FollowSymLinks ExecCGI\ order allow,deny\ SetEnv no-gzip 1\ allow from all\ \ \ AddHandler cgi-script .cgi\ ' /etc/apache2/sites-available/default service apache2 restart ####### validation steps ######## # check if flowd is running ps -fC flowd # check that flows are being received ls -lR /dev/shm/ # check that flow files are being moved to the capture directory ls -lR /opt/netflow/capture/ # make sure web server is running service apache2 status # once you're sure you have flow data in the capture directory, run one of the web scripts wget -O - '' # if that looks works (you see some IP addresses in the output), run flowage once from the CLI /usr/local/webview/flowage/flowage.pl # if that looks good (you see flow files being processed and rrd files be created), then uncomment # the */5 flowage crontab entry and you're all set!