############################## # # NfSen master config file # # $Id: nfsen-dist.conf 22 2007-11-20 12:27:38Z phaag $ # # Configuration of NfSen: # Set all the values to fit your NfSen setup and run the 'install.pl' # script from the nfsen distribution directory. # # The syntax must conform to Perl syntax. # ############################## # # NfSen default layout: # Any scripts, modules or profiles are installed by default under $BASEDIR. # However, you may change any of these settings to fit your requested layout. # # Required for default layout $BASEDIR = "/opt/nfsen"; # # Where to install the NfSen binaries $BINDIR="${BASEDIR}/bin"; # # Where to install the NfSen Perl modules $LIBEXECDIR="${BASEDIR}/libexec"; # # Where to install the config files $CONFDIR="/etc"; # # NfSen html pages directory: # All php scripts will be installed here. # URL: Entry point for nfsen: http:///nfsen/nfsen.php $HTMLDIR = "/srv/http/nfsen/"; # # Where to install the docs $DOCDIR="${HTMLDIR}/doc"; # # Var space for NfSen $VARDIR="/var/lib/nfsen"; # directory for all pid files $PIDDIR="/run/nfsen"; # # Filter directory $FILTERDIR="${VARDIR}/filters"; # # FORMATDIR for custom printing formats $FORMATDIR="${VARDIR}/fmt"; # # # The Profiles stat directory, where all profile information # RRD DBs and png pictures of the profile are stored $PROFILESTATDIR="${VARDIR}/profiles-stat"; # # The Profiles directory, where all netflow data is stored $PROFILEDATADIR="${VARDIR}/profiles-data"; # # Where go all the backend plugins $BACKEND_PLUGINDIR="${BASEDIR}/plugins"; # # Where go all the frontend plugins $FRONTEND_PLUGINDIR="${HTMLDIR}/plugins"; # # nfdump tools path $PREFIX = '/usr/bin'; # # nfsend communication socket $COMMSOCKET = "${PIDDIR}/nfsen.comm"; # BASEDIR unrelated vars: # # Run nfcapd as this user # This may be a different or the same uid than your web server. # Note: This user must be in group $WWWGROUP, otherwise nfcapd # is not able to write data files! $USER = "netflow"; # user and group of the web server process # All netflow processing will be done with this user $WWWUSER = "http"; $WWWGROUP = "http"; # Receive buffer size for nfcapd - see man page nfcapd(1) $BUFFLEN = 200000; # list of extensions for each collector. See argument -T # for nfcapd(1) for more detailes. # defaults to empty -> compatible to nfdump-1.5.8 # $EXTENSIONS = ''; # Example: # $EXTENSIONS = 'all'; # $EXTENSIONS = '+3,+4'; # # Directory sub hierarchy layout: # Possible layouts: # # 0 default no hierachy levels - flat layout - compatible with pre NfSen versions # 1 %Y/%m/%d year/month/day # 2 %Y/%m/%d/%H year/month/day/hour # 3 %Y/%W/%u year/week_of_year/day_of_week # 4 %Y/%W/%u/%H year/week_of_year/day_of_week/hour # 5 %Y/%j year/day-of-year # 6 %Y/%j/%H year/day-of-year/hour # 7 %Y-%m-%d year-month-day # 8 %Y-%m-%d/%H year-month-day/hour $SUBDIRLAYOUT = 1; # Compress flows while collecting 0 or 1 $ZIPcollected = 1; # Compress flows in profiles 0 or 1 $ZIPprofiles = 1; # Interrupt expire -- not yet enabled as not yet fully tested #$InterruptExpire = 0; # number of nfprofile processes to spawn during the profiling phase # depends on how busy your system is and how many CPUs you have # on very busy systems increase it to a higher value $PROFILERS = 2; # if the PROFILEDATADIR is filled up to this percentage, a warning message will be printed. # set to 0 to disable the test $DISKLIMIT = 98; # number of nfprofile processes to spawn during the profiling phase $PROFILERS = 6; # Some Perl Versions/Builds have memory leaks for unknown reason. # Therefore nfsend will increase its memory footprint over time. # In order to reset nfsend, it automatically reloads after 1 day # if PERL_HAS_MEMLEAK is set to 1 # $PERL_HAS_MEMLEAK=0; # Netflow sources # Define an ident string, port and colour per netflow source # # Required parameters: # ident identifies this netflow source. e.g. the router name, # Upstream provider name etc. # port nfcapd listens on this port for netflow data for this source # set port to '0' if you do not want a collector to be started # col colour in nfsen graphs for this source # # Optional parameters # type Collector type needed for this source. Can be 'netflow' or 'sflow'. Default is netflow # optarg Optional args to the collector at startup # # Syntax: # 'ident' => { 'port' => '', 'col' => '', 'type' => '' } # Ident strings must be 1 to 19 characters long only, containing characters [a-zA-Z0-9_]. %sources = ( #'upstream1' => { 'port' => '9995', 'col' => '#0000ff', 'type' => 'netflow' }, #'peer1' => { 'port' => '9996', 'IP' => '172.16.17.18' }, #'peer2' => { 'port' => '9996', 'IP' => '172.16.17.19' }, 'protocols' => { 'port' => '9997', 'col' => '#00ff00', 'type' => 'netflow' }, 'directions' => { 'port' => '9998', 'col' => '#ffff00', 'type' => 'netflow' } ); # # Low water mark: When expiring files, delete files until # size = $low_water % of max_size # typically 90 $low_water = 90; # # syslog facility for periodic jobs # nfsen uses level 'debug', 'info', 'warning' and 'err' # Note: nfsen is very chatty for level 'debug' and 'info' # For normal operation, you may set the logging level in syslog.conf # to warning or error unless you want to debug NfSen $syslog_facility = 'local3'; # # SYSLOG mess # Log socket type: Most *NIX such as LINUX and *BSD are fine with 'unix' # which is the default. You need to change that to 'stream' or 'inet' for # some Solaris version 8/9, AIX and others .. # You may set it to undef to prevent calling Sys::Syslog::setlogsock at all # ( works for Solaris 10 and newer Sys::Syslog module # # If not defined at all, 'unix' is assumed unless for Solaris, which defaults to 'stream' # $LogSocket = 'unix'; # # Plugins # Plugins extend NfSen for the purpose of: # Periodic data processing, alerting-condition and alerting-action # For data processing a plugin may run for any profile or for a specific profile only. # Syntax: [ 'profile list', 'module' ] # profile list: ',' separated list of profiles ( 'profilegroup/profilename' ), # or '*' for any profile, '!' for no profile # module: Perl Module name, equal to plugin name # The profile list '!' make sense for plugins, which only provide alerting functions # # The module follows the standard Perl module conventions, with at least one # function: Init(). See demoplugin.pm for a simple template. # # A file with the same name in the FRONTEND_PLUGINDIR and .php extension is automatically # recongized as frontend plugin. # # Plugins are installed under # $BACKEND_PLUGINDIR and $FRONTEND_PLUGINDIR @plugins = ( # profile # module # [ '*', 'demoplugin' ], ); %PluginConf = ( # For plugin demoplugin demoplugin => { # scalar param2 => 42, # hash param1 => { 'key' => 'value' }, }, # for plugin otherplugin otherplugin => [ # array 'mary had a little lamb' ], ); # # Alert module: email alerting: # Use this from address $MAIL_FROM = 'your@from.example.net'; # Use this SMTP server $SMTP_SERVER = 'localhost'; # Use this email body: # You may have multiple lines of text. # Var substitution: # @alert@ replaced by alert name # @timeslot@ replaced by timeslot alert triggered $MAIL_BODY = q{ Alert '@alert@' triggered at timeslot @timeslot@ }; ###################################################### # # For the NfSen simulator include the section below. # ###################################################### # # Nfsen Simulator # The simulator requires, that you have already installed # and configured NfSen. The simulation is based on already # pre-colleted data, which you may get from another live # NfSen system. # # Steps to setup the NfSen simulator: # 1. Configure the sources of the live profile with the # same names of the NfSen system, you take netflow data # for the simulation. Set the port for each netflow source # to 0 to prevent a collector to be started. # Install NfSen with this config in a seperate directory # 2. Copy the pre-collected data into the appropriate # netflow directory of the live profile. # 3. Configure the simulator using the parameters below # Enable Simulation mode => $SIMmode = 1 # Configure the time window of the pre-collected data. # tstart => Start of time window. yyyymmddhhmm # tbegin => Optional parameter. Start of simulation # profile exists already between tstart - tbegin # tend => End of time window. yyyymmddhhmm # cycletime => simulation time in seconds of a 5min slot # Setting cycletime = 0 processes the cycles as fast as # possible. Please note, if you test plugings, your # cycletime needs to be at least the time required to # process all plugins. # 4. Start nfsen: ../nfsen start # Simulation starts # # The simulator runs from tstart to tend and stops when tend # is reached. You may stop the simulation at any given time # using ./nfsen stop. To continue the simulation start NfSen # again: ./nfsen start. You may reset the simulator at any # given time using ./nfsen abort-reset. This stops the sumulation # and rolls back to tstart. All profiles/alerts are deleted, # so you may start from scratch again. # # Configure simulator parameters # # $SIMmode = 1; # %sim = ( # 'tstart' => '200707100000', # Simulation data available from July 10th 2007 00:00 # 'tbegin' => '200707110000', # Simulation begins at July 11th 2007 00:00 # 'tend' => '200707112355', # Simulation ends at July 11th 2007 23:55 # 'cycletime' => '30', # 30s per 5min slot # ); 1;