mbolli / nfsen-ng

Responsive NetFlow visualizer built on top of nfdump tools.
Apache License 2.0
228 stars 42 forks source link
netflow network network-analysis nfdump nfsen nfsen-ng visualization

nfsen-ng

GitHub license GitHub issues Donate a beer

nfsen-ng is an in-place replacement for the ageing nfsen.

nfsen-ng dashboard overview

Used components

TOC

Installation

Detailed installation instructions are available in INSTALL.md. Pull requests for additional distributions are welcome.

Software packages required:

Apache modules required:

PHP modules required:

Configuration

Note: nfsen-ng expects the profiles-data folder structure to be PROFILES_DATA_PATH/PROFILE/SOURCE/YYYY/MM/DD/nfcapd.YYYYMMDDHHII, e.g. /var/nfdump/profiles_data/live/source1/2018/12/01/nfcapd.201812010225.

The default settings file is backend/settings/settings.php.dist. Copy it to backend/settings/settings.php and start modifying it. Example values are in italic:

Nfdump

Nfsen-ng uses nfdump to read the nfcapd files. You can specify the location of the nfdump binary in backend/settings/settings.php. The default location is /usr/bin/nfdump.

You should also have a look at the nfdump configuration file /etc/nfdump.conf and make sure that the nfcapd files are written to the correct location. The default location is /var/nfdump/profiles_data.

Hhere is an example of an nfdump configuration:

options='-z -S 1 -T all -l /var/nfdump/profiles-data/live/<source> -p <port>'

where

Nfcapd x Sfcapd

To use sfcapd instead of nfcapd, you have to change the nfdump configuration file /lib/systemd/system/nfdump@.service to use sfcapd instead of nfcapd:

[Unit]
Description=netflow capture daemon, %I instance
Documentation=man:sfcapd(1)
After=network.target auditd.service
PartOf=nfdump.service

[Service]
Type=forking
EnvironmentFile=/etc/nfdump/%I.conf
ExecStart=/usr/bin/sfcapd -D -P /run/sfcapd.%I.pid $options
PIDFile=/run/sfcapd.%I.pid
KillMode=process
Restart=no

[Install]
WantedBy=multi-user.target

CLI + Daemon

The command line interface is used to initially scan existing nfcapd.* files, or to administer the daemon.

Usage:

./cli.php [ options ] import

or for the daemon

./cli.php start|stop|status

Daemon as a systemd service

You can use the daemon as a service. To do so, you can use the provided systemd service file below. You can copy it to /etc/systemd/system/nfsen-ng.service and then start it with systemctl start nfsen-ng.

[Unit]
Description=nfsen-ng
After=network-online.target

[Service]
Type=simple
RemainAfterExit=yes
restart=always
startLimitIntervalSec=0
restartSec=2
ExecStart=su - www-data --shell=/bin/bash -c '/var/www/html/nfsen-ng/backend/cli.php start'
ExecStop=su - www-data --shell=/bin/bash -c '/var/www/html/nfsen-ng/backend/cli.php stop'

[Install]
WantedBy=multi-user.target

Now, you should reload and enable the service to start on boot with systemctl daemon-reload and systemctl enable nfsen-ng.

Logs

Nfsen-ng logs to syslog. You can find the logs in /var/log/syslog or /var/log/messages depending on your system. Some distributions might register it in journalctl. To access the logs, you can use tail -f /var/log/syslog or journalctl -u nfsen-ng

You can change the log priority in backend/settings/settings.php.

API

The API is used by the frontend to retrieve data. The API endpoints are documented in API_ENDPOINTS.md.