Installation instructions for NetFlow Auditor and supported Operating Systems

Config: Linux Config and Tuning Checklist

Configuring a New Linux OS

Please prepare Redhat / Centos operating system with a minimal install on a decently specced machine.

NetFlow Auditor installs by default in the "/" partition under "/digitoll. To make installation simpler please allocate sufficient space to "/".

Some default partitions will be created by Linux installation which automatically create a small "/" and large "/home". If you dont change the partition sizes you can always copy the database to another partition after NetFlow Auditor installation and simply change the datadir in /etc/my.cnf. More on this below.

Disable SELinux

To Confirm SELinux is disabled run : "selinuxenabled && echo enabled || echo disabled"

If SELinux is enabled please edit "/etc/selinux/config" and set parameter "SELINUX=disabled"
After saving reboot the server for SELinux change to take effect.

For those environments that require SELinux please enable SELinux and restart the server. Then use semanage and allow port 3306, 30000, 30001 and allow access to /digitoll and subdirectories and any additional paths where the database resides on partitions outside of standard installation.

Apply operating system patch and install telnet client

yum install perl-ExtUtils-Embed
yum install telnet

Install testing tools

yum install tcpdump
yum install net-snmp-utils

Install NetFlow Auditor

Download latest version

Download NetFlow Auditor and register to receive a license key.

Copy to an empty directory eg /home/nfasupport/9.9.9 and unarchive

tar xf NetFlowAuditor-v9.9.9.tar
./install.sh

At this point you have installed and NetFlow Auditor will have automatically started running.

Follow the instructions of the Setup. After installation please follow the Getting Started instructions and install the license key.

We highly recommend you also make the changes as suggested below as they will increase the speed of your analytics and ensure your hardware is being used to its fullest potential.

ADVANCED INSTALLATION TWEAKING

Changing the Database Location

After installing NetFlow Auditor if you need to move the database to a larger partition you need to stop the mysql service and change location as per instructions in How to move your database directory

Configuring NetFlow Auditor

Flows can be excessive in large ISP and Campus environments. The below tweaks can be applied to reduce or eliminate loss.

The Confluence of them will assist in smoothing out collection based loss. In large environments NetFlow Auditor can be configured into a cluster of helpers plus database server.

Configure system Buffers (See below Operating system Tuning)
Configure DigiToll.ini (See below NetFlow Auditor Tuning, Dump Time and Retention)

Operating system tuning

The system socket buffer and UDP buffer will allow more flows to be collected.
When flows exceed the collector hardware capacity flows could be impacted.

/etc/sysctl.conf
...
net.core.rmem_max=134217728
net.core.rmem_default=134217728
net.ipv4.udp_mem=33554432 33554432 33554432
...

After changing/adding the buffers to sysctl.conf apply the changes:

# sysctl -p

Netflow Auditor tuning

Sampling

Netflow Auditor scales well beyond other flow collection software. Even so sampling can still be used successfully to reduce loss and enhance collection performance. Some routers and switches force sampling. Each device once discovered must be configured with the sampling ratio set on the Exporter Device.

DigiToll.ini - UDP Buffer

Change the UDPBuffer parameter to 16M

/digitoll/tmp/digitoll.ini
...
UDPBuffer = 16777216
...

Dump Time

Reducing the dump time allows memory collection to be cleared faster and allows the Netflow Auditor aggregator and data insertion processing to run more efficiently.
Test slowly. Change to 30 seconds and Confirm.

Then allow a period of processing and confirm the results in Data Collection Tuning for each minute. After period if loss still occurs repeat this process

Flow Retention Rate

This can be set to retain 1 in N flow records, This is different to device packet sampling which we already support.

The flows that are tuned in this method retain Interface, Tos and or Business Groups. And is useful both for Professional and Performance collection modes.

Non Retained flow policy refers to what information is retained in any flow retention rate aggregation.

Data Collection Tuning

This can be set to aggregate various aspects of the flow. For example aggregating up the ephemeral ports of well known ports can reduce collection size and smooth out performance in high-flow / high-retention environments.

tmpfs or RamDisk

Ram filesystems can substantially speedup processing where a CPU and I/O may be impacting collection. NetFlow Auditors transient files can be configured to use tmpfs or a ramdisk

By Default Redhat/Centos creates a tmpfs partition on /dev/shm. This is usually quite a large chunk of RAM that is dynamically available as a partition that can be easily loaded and managed by fstab.

The main benefit of tmpfs is that it only uses as much RAM (or swap) as is needed to store the files. In contrast, a 500MB ramdisk will use that much RAM whether it is 10% full or 100% full.

Change the tmpfs setting:

Edit "/etc/fstab" and change the tmpfs entry the "noatime,nodiratime" options to remove time stamping (this is not mission critical but it saves extra processing cycles).

In /usr/local/digitoll/conf/digitoll.ini
change dumpDir, remoteDir and localDir to use the tmpfs.

[Directories]
dumpDir = /dev/shm/dump
remoteDir = /dev/shm/export
localDir = /dev/shm/import

No need to create the subdirectories we create them if they don’t exist
NetFlow Auditor must be restarted to make use of the tmpfs ram disk:

service digitoll stop
service digitoll start

Documentation

Further Version 7 Documentation can be found in NetFlow Auditor Knowledge base with latest documentation guides available on Visual Analytics, Multiviews, Forensics , IPv6 and more.

cron