Re: [Nfsen-discuss] Trouble creating profiles
On 03/07/2014 04:27 AM, kiko wrote: Hi Peter , I had the same issue. Finally, I got access to a box with the same problem. I will report back as soon, as I have more information. - Peter And I notice something different with your example. In http://nfsen.sourceforge.net/#mozTocId765906 the Fig. Progress of building the profile I saw the fig. had show progress 34.3% ,but when I create the new profile I didn't see it. The live profile is work fine. sorry for my poor english. best regards, kiko Hmm .. strange. When building history profiles, you should see regular entries in the log. History data is profiled using nfdump. If it's still an issue contact me off list. - Peter On 22/10/13 09:11, Borja Marcos wrote: Hello, I am having problems to create a profile that starts in the past. When it creates the profile, I see this in the logfile: Oct 22 09:09:09 splunk nfsen[2031]: comm child[5668] terminated Exit: 255, Signal: 0, Core: 0 and when the profile is finally created I have just empty graphs. Once created, nfsen has no problem to add data, the profile works perfectly, but there's no data before the start of the profile. Any ideas? I remember this used to work long ago. I am runnning nfsen with nginx and php-fpm as a fast-cgi. Any pointers? Thanks! -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60135991iu=/4140/ostg.clktrk ___ Nfsen-discuss mailing list Nfsen-discuss@... https://lists.sourceforge.net/lists/listinfo/nfsen-discuss -- Be nice to your netflow data. Use NfSen and nfdump :) -- Subversion Kills Productivity. Get off Subversion Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951iu=/4140/ostg.clktrk ___ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss -- -- Be nice to your netflow data -- Learn Graph Databases - Download FREE O'Reilly Book Graph Databases is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech ___ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
[Nfsen-discuss] Shadow Profiles not getting updated
Dear nfsen users, I am currently setting up our first nfsen installation on debian wheezy. The live profile is working fine, I am receiving netflow data from our routers (c6500/SUP720 and ASR9k) and graphs are filling up / processing and filtering works. What does not work is an additional profile. I have created a shadow profile (individual channels, shadow profile) and added some channels with filters (IN IF xx / OUT IF xx). The filters themselves seem to work fine, as I can use them to process the netflow data in details page. But graphs and statistics stay empty. I have also just deleted the profile and recreated it with the start date of our live profile data. Now, Graphs are created and filled with correct historic data, but they never get updated. (See attachment) Any hints are really appreciated! Kind regards Chris P.S. I am already running nfsen-1.3.6p1, a self compiled nfdump-1.6.11 (nfprofile enabled) and rrdtool-1.4.8. -- Mit freundlichen Grüßen Christian Kildau Network Services Plus.line AG Mainzer Landstr. 199 60326 Frankfurt am Main Internet - Hosting - MPLS VPN Tel.: +49 (0)69 758915-105 Fax: +49 (0)69 758915-33 Mail: ckil...@plusline.net WWW: http://www.plusline.net Handelsregister: HRB 53629 Frankfurt am Main Vorstand: Richard Gresek Aufsichtsratsvorsitzender: Horst E. Eckhard attachment: Screen Shot 2014-03-26 at 9.02.17 AM.png-- Learn Graph Databases - Download FREE O'Reilly Book Graph Databases is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech___ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
Re: [Nfsen-discuss] Defining alert if exceeds x number of flows
Hello Chris, I did what you suggested, but the alert never triggers. I put a low value of 10. I see some dstIP with higher than 10 flows, but it doesn’t work. Any idea? Pat The information in this message, including in all attachments, is confidential or privileged. In the event you have received this message in error and are not the intended recipient, you are hereby advised that any use, copying or reproduction of this document is strictly forbidden. Please notify immediately the sender of this error and destroy this message, including its attachments, as the case may be. L'information apparaissant dans ce message électronique et dans les documents qui y sont joints est de nature confidentielle ou privilégiée. Si ce message vous est parvenu par erreur et que vous n'en êtes pas le destinataire visé, vous êtes par les présentes avisé que toute utilisation, copie ou distribution de ce message est strictement interdite. Vous êtes donc prié d’en informer immédiatement l’expéditeur et de détruire ce message, ainsi que les documents qui y sont joints, le cas échéant. De : Patrick Lessard [mailto:patrick.less...@cogeco.com] Envoyé : 25 mars 2014 16:02 À : Chris Roose Cc : nfsen-discuss@lists.sourceforge.net Objet : Re: [Nfsen-discuss] Defining alert if exceeds x number of flows Ok I just did that and set the threshold very low to trigger some alerts. I will let it run and let you know. Thank you. Patrick. The information in this message, including in all attachments, is confidential or privileged. In the event you have received this message in error and are not the intended recipient, you are hereby advised that any use, copying or reproduction of this document is strictly forbidden. Please notify immediately the sender of this error and destroy this message, including its attachments, as the case may be. L'information apparaissant dans ce message électronique et dans les documents qui y sont joints est de nature confidentielle ou privilégiée. Si ce message vous est parvenu par erreur et que vous n'en êtes pas le destinataire visé, vous êtes par les présentes avisé que toute utilisation, copie ou distribution de ce message est strictement interdite. Vous êtes donc prié d’en informer immédiatement l’expéditeur et de détruire ce message, ainsi que les documents qui y sont joints, le cas échéant. De : Chris Roose [mailto:ch...@transientaudio.net] Envoyé : 25 mars 2014 15:31 À : Patrick Lessard Cc : nfsen-discuss@lists.sourceforge.netmailto:nfsen-discuss@lists.sourceforge.net Objet : Re: [Nfsen-discuss] Defining alert if exceeds x number of flows Oh, sorry -- maybe I read too fast. 1) Click on Alerts tab 2) Click plus sign to add an alert 3) Enter Name, check enabled Status, and select Filter 4) Select radio button next to Conditions based on individual Top 1 statistics: 5) Use drop-downs to construct filter: Flows of Top 1 DST IP Address 5000 6) Configure Trigger and Action fields for your email preferences Best, Chris On 3/25/2014 3:24 PM, Patrick Lessard wrote: That’s basically my question! ☺ How can I do it in nfsen? I have no experience and not sure how to do it. Any help would be appreciated. Thank you. Pat. De : Chris Roose [mailto:ch...@transientaudio.net] Envoyé : 25 mars 2014 15:20 À : Patrick Lessard Cc : nfsen-discuss@lists.sourceforge.netmailto:nfsen-discuss@lists.sourceforge.net Objet : Re: [Nfsen-discuss] Defining alert if exceeds x number of flows Pat, Have you tried doing this in NfSen? It's pretty easy to set an email alert for this condition using the GUI. Thanks, Chris On 3/25/2014 2:43 PM, Patrick Lessard wrote: Hello all, I’m testing nfsen along with nfdump and it works fine. Now I would like to get an alert when a certain amount of flows pointing to the same destination IP address is exceeded. I tried: /usr/local/nfdump/bin/nfdump -M /usr/local/nfsen-1.3.6p1/profiles-data/live/RouterA -T -R 2014/03/25/nfcapd.20140325:2014/03/25/nfcapd.201403250040 -n 5 -s dstip/flows Top 5 Dst IP Addr ordered by flows: Date first seen Duration Proto Dst IP AddrFlows(%) Packets(%) Bytes(%) pps bps bpp 2014-03-25 00:01:40.684 2583.240 any a.b.c.d1 16640( 7.1)16706( 3.1)1.0 M( 1.7)6 310460 2014-03-25 00:02:35.664 2528.104 anya.b.c.d211183( 4.8)15210( 2.8) 905478( 1.5)6 286559 2014-03-25 00:01:40.664 2581.600 any a.b.c.d3 7532( 3.2)10521( 2.0) 624571( 1.1)4 193559 2014-03-25 00:01:40.664 2583.212 any a.b.c.d4 5325( 2.3) 7153( 1.3) 364414( 0.6)2 112850 2014-03-25 00:02:36.056 2527.592 any a.b.c.d5 3372( 1.4) 3384( 0.6) 210376( 0.4)1 66562 Summary: total flows: 235183, total bytes: 58.5 M, total packets: 536871, avg bps: 120690, avg pps: 138, avg bpp: 108 Time window: 2014-03-24 23:40:20 - 2014-03-25 00:44:57 Total flows processed:
Re: [Nfsen-discuss] Defining alert if exceeds x number of flows
Ok it’s working now, I had to change the default filter from “not any” to “proto udp” Now I’m getting this error when it tried to send an email Mar 26 11:25:00 netflow01 nfcapd[22729]: Ident: 'RouterA' Flows: 12355, Packets: 70331, Bytes: 5203913, Sequence Errors: 0, Bad Packets: 0 Mar 26 11:25:00 netflow01 nfcapd[22729]: Total ignored packets: 0 Mar 26 11:25:15 netflow01 nfsen[22731]: 1 channels/alerts to profile Mar 26 11:25:15 netflow01 nfprofile[24558]: Process line '.#~Test#8#Test#RouterA#012' Mar 26 11:25:15 netflow01 nfprofile[24558]: Setup channel 'Test' in profile '~Test' group '.', channellist 'DR6509' Mar 26 11:25:15 netflow01 nfsen[22731]: Update profile live in group . Mar 26 11:25:15 netflow01 nfsen[22731]: Error reading channel stat information. Missing key 'first' Mar 26 11:25:15 netflow01 nfsen[22731]: Process alert 'Test' Mar 26 11:25:15 netflow01 nfsen[22731]: condition 0: evaluated to True Mar 26 11:25:15 netflow01 nfsen[22731]: Alert 'Test' execute action Mar 26 11:25:15 netflow01 nfsen[22731]: alert 'Test' : Failed to send alert email to: removed@domain.com Mar 26 11:25:15 netflow01 nfsen[22731]: Run expire at Wed Mar 26 11:25:00 2014 Mar 26 11:25:15 netflow01 nfsen[22731]: End expire at Wed Mar 26 11:25:00 2014 Thx for the help! Pat. The information in this message, including in all attachments, is confidential or privileged. In the event you have received this message in error and are not the intended recipient, you are hereby advised that any use, copying or reproduction of this document is strictly forbidden. Please notify immediately the sender of this error and destroy this message, including its attachments, as the case may be. L'information apparaissant dans ce message électronique et dans les documents qui y sont joints est de nature confidentielle ou privilégiée. Si ce message vous est parvenu par erreur et que vous n'en êtes pas le destinataire visé, vous êtes par les présentes avisé que toute utilisation, copie ou distribution de ce message est strictement interdite. Vous êtes donc prié d’en informer immédiatement l’expéditeur et de détruire ce message, ainsi que les documents qui y sont joints, le cas échéant. De : Patrick Lessard Envoyé : 26 mars 2014 08:06 À : Patrick Lessard; Chris Roose Cc : nfsen-discuss@lists.sourceforge.net Objet : RE: [Nfsen-discuss] Defining alert if exceeds x number of flows Hello Chris, I did what you suggested, but the alert never triggers. I put a low value of 10. I see some dstIP with higher than 10 flows, but it doesn’t work. Any idea? Pat De : Patrick Lessard [mailto:patrick.less...@cogeco.com] Envoyé : 25 mars 2014 16:02 À : Chris Roose Cc : nfsen-discuss@lists.sourceforge.net Objet : Re: [Nfsen-discuss] Defining alert if exceeds x number of flows Ok I just did that and set the threshold very low to trigger some alerts. I will let it run and let you know. Thank you. Patrick. The information in this message, including in all attachments, is confidential or privileged. In the event you have received this message in error and are not the intended recipient, you are hereby advised that any use, copying or reproduction of this document is strictly forbidden. Please notify immediately the sender of this error and destroy this message, including its attachments, as the case may be. L'information apparaissant dans ce message électronique et dans les documents qui y sont joints est de nature confidentielle ou privilégiée. Si ce message vous est parvenu par erreur et que vous n'en êtes pas le destinataire visé, vous êtes par les présentes avisé que toute utilisation, copie ou distribution de ce message est strictement interdite. Vous êtes donc prié d’en informer immédiatement l’expéditeur et de détruire ce message, ainsi que les documents qui y sont joints, le cas échéant. De : Chris Roose [mailto:ch...@transientaudio.net] Envoyé : 25 mars 2014 15:31 À : Patrick Lessard Cc : nfsen-discuss@lists.sourceforge.netmailto:nfsen-discuss@lists.sourceforge.net Objet : Re: [Nfsen-discuss] Defining alert if exceeds x number of flows Oh, sorry -- maybe I read too fast. 1) Click on Alerts tab 2) Click plus sign to add an alert 3) Enter Name, check enabled Status, and select Filter 4) Select radio button next to Conditions based on individual Top 1 statistics: 5) Use drop-downs to construct filter: Flows of Top 1 DST IP Address 5000 6) Configure Trigger and Action fields for your email preferences Best, Chris On 3/25/2014 3:24 PM, Patrick Lessard wrote: That’s basically my question! ☺ How can I do it in nfsen? I have no experience and not sure how to do it. Any help would be appreciated. Thank you. Pat. De : Chris Roose [mailto:ch...@transientaudio.net] Envoyé : 25 mars 2014 15:20 À : Patrick Lessard Cc : nfsen-discuss@lists.sourceforge.netmailto:nfsen-discuss@lists.sourceforge.net Objet : Re: [Nfsen-discuss] Defining alert if exceeds x number of flows Pat, Have you tried doing this in NfSen? It's
Re: [Nfsen-discuss] nfsen FHS'd on Debian Jessie
The problem is, software with compile time options is completely unsuitable for that packaging. For nfsen to work, that package must be built with nfprofile. To prevent trouble (and because I run several different instances on the same server and I use nginx with php-fpm instead of using Apache with a PHP module) I always prefer to build from source. It's really straightforward, even on FreeBSD. Yes, that's how I have been doing it; what I was hoping for is to avoid some repetitive tasks (unpacking, configuring, customizing...) as well as placing things on FHS directories. But unless there is some further suggestions, I'll have to stick with the classic way. The tool is great and if it takes a little bit of work to install it each time, so be it. There's an option for custom nfcapd parameters, a parameter called optarg. I must have been blind when I looked at it... Thanks for the hint, that's exactly what I needed. -- Alfredo Sola http://www.tecnocratica.net/ -- Learn Graph Databases - Download FREE O'Reilly Book Graph Databases is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech ___ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
[Nfsen-discuss] NfSen not profiling history
Hi all,
Find appended a patch, which fixes the problem for not profiling the history
data correctly. The bug is triggered, when
setting ZIPprofile to 1 in nfsen.conf. A new NfSen release, which fixes some
more issues, especially Perl compatibility,
will be released soon.
Thanks Wim for your support!
Cheers
- Peter
--
Be nice to your netflow data. Use NfSen and nfdump :)
--- NfProfile.pm.orig 2014-03-26 21:18:17.0 +0100
+++ NfProfile.pm2014-03-26 21:19:27.0 +0100
@@ -915,7 +915,8 @@
my $profilepath = ProfilePath($name, $group);
my $subdirlayout = $NfConf::SUBDIRLAYOUT ? -S $NfConf::SUBDIRLAYOUT :
;
- my $arg = -I -p $NfConf::PROFILEDATADIR -P $NfConf::PROFILESTATDIR
$subdirlayout $NfConf::ZIPprofiles;
+ my $arg = -I -p $NfConf::PROFILEDATADIR -P $NfConf::PROFILESTATDIR
$subdirlayout ;
+ $arg .= -z if $NfConf::ZIPprofiles;
# create argument list specific for each channel
# at the moment this contains of all channels in a continues profile
@@ -1369,7 +1370,8 @@
}
my $channellist = join ':', keys
%{$liveprofile{'channel'}};
my $subdirlayout = $NfConf::SUBDIRLAYOUT ? -S
$NfConf::SUBDIRLAYOUT : ;
- my $arg = -I -p $NfConf::PROFILEDATADIR -P
$NfConf::PROFILESTATDIR $subdirlayout $NfConf::ZIPprofiles;
+ my $arg = -I -p $NfConf::PROFILEDATADIR -P
$NfConf::PROFILESTATDIR $subdirlayout ;
+ $arg .= -z if $NfConf::ZIPprofiles;
# profile missing slots
if ( $t = $tend ) {
--
Learn Graph Databases - Download FREE O'Reilly Book
Graph Databases is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech___
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
