February 23, 2014

Install NFSEN (Centos 6 & Fedora 20)

Found myself having to do this a few times now and it usually ends up being quite messy in the end so some nice clean instructions from a real sysadmin. All credit goes to @gowmonster. I've tested this guide against Fedora 20 and Centos 6. This guide follows Centos 6 but the commands are more or less the same.

NFSEN is an awesome (and opensource!) netflow collector supporting various versions of netflow, sflow and recently ipfix. It can also make the start of a DDOS mitigation system :D

Install the required packages:

yum install httpd php perl perl-TimeDate perl-Pod-Escapes perl-Pod-Simple perl-Test-Pod perl-MailTools libdbi lua mysql-server net-snmp-utils perl-rrdtool gcc make flex rrdtool-devel byacc perl-Socket6
Download the latest sources for NFSEN and NFDUMP into the same directory e.g /tmp. Now lets extract and install nfdump
tar -zxvf nfdump-1.6.11.tar.gz tar -zxvf nfsen-1.3.6p1.tar.gz

mv nfdump-1.6.11 /usr/local/src/
mv nfsen-1.3.6p1 /usr/local/src/

cd /usr/local/src/nfdump-1.6.11/
./configure --enable-nfprofile
make
make install
make clean


Now to setup and install NFSEN (this is just an example config file)

cd ../nfsen-1.3.6p1/ cat > etc/nfsen.conf << EOF # Example Config file! $BASEDIR = "/usr/local/nfsen"; $BINDIR="${BASEDIR}/bin"; $LIBEXECDIR="${BASEDIR}/libexec"; $CONFDIR="${BASEDIR}/etc"; $HTMLDIR = "/var/www/nfsen/"; $DOCDIR="${HTMLDIR}/doc"; $VARDIR="${BASEDIR}/var"; $PROFILESTATDIR="${BASEDIR}/profiles-stat"; $PROFILEDATADIR="${BASEDIR}/profiles-data"; $BACKEND_PLUGINDIR="${BASEDIR}/plugins"; $FRONTEND_PLUGINDIR="${HTMLDIR}/plugins"; $PREFIX = '/usr/local/bin'; $USER = "apache"; $WWWUSER = "apache"; $WWWGROUP = "apache"; $EXTENSIONS = 'all'; $SUBDIRLAYOUT = 1; $ZIPcollected = 1; $ZIPprofiles = 1; $PROFILERS = 2; $DISKLIMIT = 98; $PROFILERS = 6;

Exporters are defined here. Name is what will be displayed in NFSEN

%sources = (

'ASA1.m00nie.com' => { 'port' => '9992', 'col' => '#000000', 'type' => 'netflow' },
'6513.m00nie.com' => { 'port' => '9993', 'col' => '#000000', 'type' => 'netflow' },
);

$low_water = 90;
$syslog_facility = 'local3';
@plugins = (
);
%PluginConf = (
demoplugin => {
param2 => 42,
param1 => { 'key' => 'value' },
},
otherplugin => [
'mary had a little lamb'
],
);
$MAIL_FROM = 'your@from.example.net';
$SMTP_SERVER = 'localhost';
$MAIL_BODY = q{
Alert '@alert@' triggered at timeslot @timeslot@
};
1;
EOF

mkdir /var/www/nfsen/
./install.pl etc/nfsen.conf


Setup httpd:

/sbin/chkconfig httpd on

vi /etc/httpd/conf/httpd.conf
below line Alias /error/ "/var/www/error/" add

Alias /nfsen/ "/var/www/nfsen/"

Save the file
service httpd start

Now to make an init script so we can auto start NFSEN on boot etc.
cat > /etc/init.d/nfsen <<EOF #!/bin/bash # # chkconfig: - 50 50 # description: nfsen DAEMON=/usr/local/nfsen/bin/nfsen

case "$1" in
start)
$DAEMON start
;;
stop)
$DAEMON stop
;;
status)
$DAEMON status
;;
restart)
$DAEMON stop
sleep 1
$DAEMON start
;;
*)
echo "Usage: $0 {start|stop|status|restart}"
exit 1
;;
esac

exit 0
EOF


Make our init script executable, configure to start on boot and start the service now :)

chmod 755 /etc/init.d/nfsen chkconfig nfsen on service nfsen start
Send it some flows on the ports you configured then browse to http://myserver/nfsen, job done hopefully. Just remember it make take some time to populate depending on how often your exporter sends templates.

m00nie