Hi guys (and girls maybe, I hope there are some ;) ),
The simulator is exactly what I needed.
As Peter advised me I created a new nfsen's installation on an Ubuntu
Server. Thanks to Toringe for his tutorial
http://www.honeynor.no/sharewiki/index.php/Nfsen
I had some difficulties but at end I got it (YES !!!)
ubuntu Intrepid
nfdump : last snpshot
nfsen : stable 1.3
rrd : 1.2.27
apache2 and php5
My recent crash has appened 16/01/2009 from 17h00 to 20h00. I copied the
data files (nfcapd*) of these 3 hours on my new installation and
configured my nfsen.conf file as needed (join)
When I run nfsen, it starts without any errors but nothing appears in
the graphs. Is that normal ?
I'd like test my alert's filters but graphs of the actives ones are
desperately empty. I imagine that data aren't analyzed and the alerts
cannot fire ...
Is there something I can try ? Maybe should the graphs stay empty and I
didn't understood how it works ?
Thanks for your help
Peter Haag a écrit :
> Hi cedric,
> You can put NfSen into simulation mode which allows you to sweep
> trough your pre-collected data.
> This mode can also be used to test your plugins or alerting, as you
> can vary the parameters and redo
> the tests. However it is recommended to use a separate setup for the
> simulation, as rrd data
> will be wiped and rebuild while testing. See nfsen-dist.conf file
> http://nfsen.sourceforge.net/nfsen-dist.conf
>
> - Peter
>
> cedric.delaunay wrote:
> > Hi nfsen's users,
> > Today, motivated by a big crash in recent days :-! , I'm trying to
> > configure alerts events on my nfsen platform. I would like to know if
> > these alerts would have detected the anomaly.
> > Is there a way to replay the data, passing through the filter and view
> > alerts and nfsen behavior ?
> > Thanks
>
##############################
#
# NfSen master config file
#
# $Id: nfsen-dist.conf 22 2007-11-20 12:27:38Z phaag $
#
# Configuration of NfSen:
# Set all the values to fit your NfSen setup and run the 'install.pl'
# script from the nfsen distribution directory.
#
# The syntax must conform to Perl syntax.
#
##############################
#
# NfSen default layout:
# Any scripts, modules or profiles are installed by default under $BASEDIR.
# However, you may change any of these settings to fit your requested layout.
#
# Required for default layout
$BASEDIR = "/data/nfsen";
#
# Where to install the NfSen binaries
$BINDIR="${BASEDIR}/bin";
#
# Where to install the NfSen Perl modules
$LIBEXECDIR="${BASEDIR}/libexec";
#
# Where to install the config files
$CONFDIR="${BASEDIR}/etc";
#
# NfSen html pages directory:
# All php scripts will be installed here.
# URL: Entry point for nfsen: http://<webserver>/nfsen/nfsen.php
$HTMLDIR = "/var/www/nfsen/";
#
# Where to install the docs
$DOCDIR="${HTMLDIR}/doc";
#
# Var space for NfSen
$VARDIR="${BASEDIR}/var";
#
# directory for all pid files
# $PIDDIR="$VARDIR/run";
#
# The Profiles stat directory, where all profile information
# RRD DBs and png pictures of the profile are stored
$PROFILESTATDIR="${BASEDIR}/profiles-stat";
#
# The Profiles directory, where all netflow data is stored
$PROFILEDATADIR="${BASEDIR}/profiles-data";
#
# Where go all the backend plugins
$BACKEND_PLUGINDIR="${BASEDIR}/plugins";
#
# Where go all the frontend plugins
$FRONTEND_PLUGINDIR="${HTMLDIR}/plugins";
#
# nfdump tools path
$PREFIX = '/usr/local/bin';
#
# nfsend communication socket
# $COMMSOCKET = "$PIDDIR/nfsen.comm";
# BASEDIR unrelated vars:
#
# Run nfcapd as this user
# This may be a different or the same uid than your web server.
# Note: This user must be in group $WWWGROUP, otherwise nfcapd
# is not able to write data files!
$USER = "www-data";
# user and group of the web server process
# All netflow processing will be done with this user
$WWWUSER = "www-data";
$WWWGROUP = "www-data";
# Receive buffer size for nfcapd - see man page nfcapd(1)
$BUFFLEN = 200000;
#
# Directory sub hierarchy layout:
# Possible layouts:
#
# 0 default no hierachy levels - flat layout - compatible with pre NfSen
versions
# 1 %Y/%m/%d year/month/day
# 2 %Y/%m/%d/%H year/month/day/hour
# 3 %Y/%W/%u year/week_of_year/day_of_week
# 4 %Y/%W/%u/%H year/week_of_year/day_of_week/hour
# 5 %Y/%j year/day-of-year
# 6 %Y/%j/%H year/day-of-year/hour
# 7 %Y-%m-%d year-month-day
# 8 %Y-%m-%d/%H year-month-day/hour
$SUBDIRLAYOUT = 1;
# Compress flows while collecting 0 or 1
$ZIPcollected = 0;
# Compress flows in profiles 0 or 1
$ZIPprofiles = 0;
# if the PROFILEDATADIR is filled up to this percentage, a warning message will
be printed.
# set to 0 to disable the test
$DISKLIMIT = 98;
# Netflow sources
# Define an ident string, port and colour per netflow source
#
# Required parameters:
# ident identifies this netflow source. e.g. the router name,
# Upstream provider name etc.
# port nfcapd listens on this port for netflow data for this source
# set port to '0' if you do not want a collector to be
started
# col colour in nfsen graphs for this source
#
# Optional parameters
# type Collector type needed for this source. Can be 'netflow' or
'sflow'. Default is netflow
# optarg Optional args to the collector at startup
#
# Syntax:
# 'ident' => { 'port' => '<portnum>', 'col' => '<colour>', 'type' =>
'<type>' }
# Ident strings must be 1 to 19 characters long only, containing characters
[a-zA-Z0-9_].
%sources = (
'cs7204' => { 'port' => '0', 'col' => '#0000ff', 'type' => 'netflow'
},
'cs6513' => { 'port' => '0', 'col' => '#ff0000' },
);
#
# Low water mark: When expiring files, delete files until
# size = $low_water % of max_size
# typically 90
$low_water = 90;
#
# syslog facility for periodic jobs
# nfsen uses level 'debug', 'info', 'warning' and 'err'
# Note: nfsen is very chatty for level 'debug' and 'info'
# For normal operation, you may set the logging level in syslog.conf
# to warning or error unless you want to debug NfSen
$syslog_facility = 'local3';
#
# SYSLOG mess
# Log socket type: Most *NIX such as LINUX and *BSD are fine with 'unix'
# which is the default. You need to change that to 'stream' or 'inet' for
# some Solaris version 8/9, AIX and others ..
# You may set it to undef to prevent calling Sys::Syslog::setlogsock at all
# ( works for Solaris 10 and newer Sys::Syslog module
#
# If not defined at all, 'unix' is assumed unless for Solaris, which defaults
to 'stream'
# $LogSocket = 'unix';
#
# Plugins
# Plugins extend NfSen for the purpose of:
# Periodic data processing, alerting-condition and alerting-action
# For data processing a plugin may run for any profile or for a specific
profile only.
# Syntax: [ 'profile list', 'module' ]
# profile list: ',' separated list of profiles (
'profilegroup/profilename' ),
# or '*' for any profile, '!' for no profile
# module: Perl Module name, equal to plugin name
# The profile list '!' make sense for plugins, which only provide alerting
functions
#
# The module follows the standard Perl module conventions, with at least one
# function: Init(). See demoplugin.pm for a simple template.
#
# A file with the same name in the FRONTEND_PLUGINDIR and .php extension is
automatically
# recongized as frontend plugin.
#
# Plugins are installed under
# $BACKEND_PLUGINDIR and $FRONTEND_PLUGINDIR
@plugins = (
# profile # module
# [ '*', 'demoplugin' ],
);
%PluginConf = (
# For plugin demoplugin
demoplugin => {
# scalar
param2 => 42,
# hash
param1 => { 'key' => 'value' },
},
# for plugin otherplugin
otherplugin => [
# array
'mary had a little lamb'
],
);
#
# Alert module: email alerting:
# Use this from address
$MAIL_FROM = '[email protected]';
# Use this SMTP server
$SMTP_SERVER = 'localhost';
# Use this email body:
# You may have multiple lines of text.
# Var substitution:
# @alert@ replaced by alert name
# @timeslot@ replaced by timeslot alert triggered
$MAIL_BODY = q{
Alert '@alert@' triggered at timeslot @timeslot@
};
######################################################
#
# For the NfSen simulator include the section below.
#
######################################################
#
# Nfsen Simulator
# The simulator requires, that you have already installed
# and configured NfSen. The simulation is based on already
# pre-colleted data, which you may get from another live
# NfSen system.
#
# Steps to setup the NfSen simulator:
# 1. Configure the sources of the live profile with the
# same names of the NfSen system, you take netflow data
# for the simulation. Set the port for each netflow source
# to 0 to prevent a collector to be started.
# Install NfSen with this config in a seperate directory
# 2. Copy the pre-collected data into the appropriate
# netflow directory of the live profile.
# 3. Configure the simulator using the parameters below
# Enable Simulation mode => $SIMmode = 1
# Configure the time window of the pre-collected data.
# tstart => Start of time window. yyyymmddhhmm
# tbegin => Optional parameter. Start of simulation
# profile exists already between tstart - tbegin
# tend => End of time window. yyyymmddhhmm
# cycletime => simulation time in seconds of a 5min slot
# Setting cycletime = 0 processes the cycles as fast as
# possible. Please note, if you test plugings, your
# cycletime needs to be at least the time required to
# process all plugins.
# 4. Start nfsen: ../nfsen start
# Simulation starts
#
# The simulator runs from tstart to tend and stops when tend
# is reached. You may stop the simulation at any given time
# using ./nfsen stop. To continue the simulation start NfSen
# again: ./nfsen start. You may reset the simulator at any
# given time using ./nfsen abort-reset. This stops the sumulation
# and rolls back to tstart. All profiles/alerts are deleted,
# so you may start from scratch again.
#
# Configure simulator parameters
#
$SIMmode = 1;
%sim = (
'tstart' => '200901161700', # Simulation data available from July
10th 2007 00:00
'tbegin' => '200901161715', # Simulation begins at July 11th 2007
00:00
'tend' => '200901161905', # Simulation ends at July 11th 2007
23:55
'cycletime' => '30', # 30s per 5min slot
);
1;
------------------------------------------------------------------------------
Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM)
software. With Adobe AIR, Ajax developers can use existing skills and code to
build responsive, highly engaging applications that combine the power of local
resources and data with the reach of the web. Download the Adobe AIR SDK and
Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
