E-mail
Overview
GroundWork includes NeDi, an open source project for network discovery and monitoring.
The information on this page can be used when you want to monitor traffic using NetFlow. NetFlow is a sampling systems for network traffic and can detect problems and traffic congestion issues. You direct NetFlow producers to send to NetFlow collectors. GroundWork Monitor is a NetFlow collector. NeDi monitors and graphs the flows. The steps in this document show how to set up the collector with nfdump. The nfdump tools collect and process NetFlow data on the command line. Then setting up a policy allows you to monitor the flows. The flowi is set to run in 7.2.1 regardless and the feeder is deprecated in favor of the NeDi connector.
CONTENTS | RELATED RESOURCES |
WAS THIS PAGE HELPFUL? |
1.0 NeDi Traffic Monitoring
1.1 nfdump Package
The nfdump package has to be installed and running. You need to add the directories where nfdump files are placed to the nedi.conf. A logical NetFlow configuration is needed to accurately see the traffic you need to monitor - typically it is not possible to see traffic that traverses between hosts inside the network, only across firewalls, as this is where the NetFlow sources are set up.
You can also set up packet capture with nfdump. If you do so on spanning ports, you can then see more traffic, typically that between hosts. Note that storage requirements go up if you do this.
1.2 flowi.pl
First create your device directories. For NeDi to work well, each device needs one, and the default is here:
/usr/local/groundwork/common/var/nfdump
So for example if you wanted to get flows from a device named "router1" you would type:
su - nagios
mkdir /usr/local/groundwork/common/var/nfdump/router1
You can limit the data collected automatically:
nfexpire -s2G -u /usr/local/groundwork/common/var/nfdump/router1
That will keep up to 2GB of data in the device directory.
Run the collector:
nfcapd -e -w -D -j -l /usr/local/groundwork/common/var/nfdump/router1 -p 2055
You can run it on any port, just match the firewall rules and the config of the NetFlow device (match where it is sending flows - system and port). Demo4 uses 2055.
1.3 Policy Setup
Setting up a policy involves using Nodes-Traffic to find a filter, then showing it. That will add the little Gold Shield of policy to the page next to the filter text box. If you know tcpdump syntax, you can add to the filter or skip this step and go right to Policy, but it makes it easy. Just click the shield and the policy is added.
The Policy page has a list of the policies. These are divided into classes, and the traffic class can be matched with "sp%" in filters. You can set traffic policy thresholds with bytes or flows.
In order to trigger the policy as an event, select Events as the Alert action to take.
Also, be sure flowi is running in the crontab every few mins:
*/5 * * * * sleep 30;/usr/local/groundwork/nedi/flowi.pl > /usr/local/groundwork/common/var/log/nedi/flowi-`date +\%H`.run
If you set up the feeder, the policy alerts will show up as services under localhost.
1.4 Monitoring
To set up monitoring, you need to add devices to monitoring in NeDi. Make a device filter and click Monitor in the filter bar on the right. That will add the devices to monitoring.
Make sure moni is running too. We need to add it to supervise. You can start it with System Services (if enabled in nedi.conf)
Start it with:
/usr/local/groundwork/nedi/moni.pl -D
Note: Moni is running in 7.2.1 too, so no need to start it.