Closed anindyar closed 5 years ago
Please, send me the full nProbe configuration used. If you are using a test CAs and certs, please also send me them so I can check if they've been properly generated.
Dear Simone,
Please find below the full configuration file that we used last. we had done a varity of combination of the below parameters. and have tried with both .jks keystore file with "ssl.truststore.location" parameter and with pem certificate file using "ssl.ca.location" but both are givng same errors.
Also I am afread the CA certs are not test certs and are generated by cloudera engineers, so we wont be able to share them here. you can please spceify if there is any limitation of the certificate format type. I will try to work around that.
----------Configuration File---------------------
#
-V=9
###########################
###########################
##################
######################
#################################
#################################
-T="%IN_BYTES %IN_PKTS %PROTOCOL %PROTOCOL_MAP %SRC_TOS %TCP_FLAGS %L4_SRC_PORT %L4_SRC_PORT_MAP %IPV4_SRC_ADDR %IPV4_SRC_MASK %INPUT_SNMP %L4_DST_PORT %L4_DST_PORT_MAP %L4_SRV_PORT %L4_SRV_PORT_MAP %IPV4_DST_ADDR %IPV4_DST_MASK %OUTPUT_SNMP %IPV4_NEXT_HOP %SRC_AS %DST_AS %LAST_SWITCHED %FIRST_SWITCHED %OUT_BYTES %OUT_PKTS %IPV6_SRC_ADDR %IPV6_DST_ADDR %IPV6_SRC_MASK %IPV6_DST_MASK %ICMP_TYPE %SAMPLING_INTERVAL %SAMPLING_ALGORITHM %FLOW_ACTIVE_TIMEOUT %FLOW_INACTIVE_TIMEOUT %ENGINE_TYPE %ENGINE_ID %TOTAL_BYTES_EXP %TOTAL_PKTS_EXP %TOTAL_FLOWS_EXP %MIN_TTL %MAX_TTL %DST_TOS %IN_SRC_MAC %SRC_VLAN %DST_VLAN %DOT1Q_SRC_VLAN %DOT1Q_DST_VLAN %IP_PROTOCOL_VERSION %DIRECTION %IPV6_NEXT_HOP %MPLS_LABEL_1 %MPLS_LABEL_2 %MPLS_LABEL_3 %MPLS_LABEL_4 %MPLS_LABEL_5 %MPLS_LABEL_6 %MPLS_LABEL_7 %MPLS_LABEL_8 %MPLS_LABEL_9 %MPLS_LABEL_10 %OUT_DST_MAC %APPLICATION_ID %PACKET_SECTION_OFFSET %SAMPLED_PACKET_SIZE %SAMPLED_PACKET_ID %EXPORTER_IPV4_ADDRESS %EXPORTER_IPV6_ADDRESS %FLOW_ID %FLOW_START_SEC %FLOW_END_SEC %FLOW_START_MILLISECONDS %FLOW_END_MILLISECONDS %BIFLOW_DIRECTION %OBSERVATION_POINT_TYPE %OBSERVATION_POINT_ID %SELECTOR_ID %IPFIX_SAMPLING_ALGORITHM %SAMPLING_SIZE %SAMPLING_POPULATION %FRAME_LENGTH %PACKETS_OBSERVED %PACKETS_SELECTED %SELECTOR_NAME %APPLICATION_NAME %USER_NAME %FRAGMENTS %CLIENT_NW_LATENCY_MS %SERVER_NW_LATENCY_MS %APPL_LATENCY_MS %NUM_PKTS_UP_TO_128_BYTES %NUM_PKTS_128_TO_256_BYTES %NUM_PKTS_256_TO_512_BYTES %NUM_PKTS_512_TO_1024_BYTES %NUM_PKTS_1024_TO_1514_BYTES %NUM_PKTS_OVER_1514_BYTES %CUMULATIVE_ICMP_TYPE %SRC_IP_COUNTRY %SRC_IP_CITY %DST_IP_COUNTRY %DST_IP_CITY %FLOW_PROTO_PORT %UPSTREAM_TUNNEL_ID %UPSTREAM_SESSION_ID %LONGEST_FLOW_PKT %SHORTEST_FLOW_PKT %RETRANSMITTED_IN_BYTES %RETRANSMITTED_IN_PKTS %RETRANSMITTED_OUT_BYTES %RETRANSMITTED_OUT_PKTS %OOORDER_IN_PKTS %OOORDER_OUT_PKTS %UNTUNNELED_PROTOCOL %UNTUNNELED_IPV4_SRC_ADDR %UNTUNNELED_L4_SRC_PORT %UNTUNNELED_IPV4_DST_ADDR %UNTUNNELED_L4_DST_PORT %L7_PROTO %L7_PROTO_NAME %DOWNSTREAM_TUNNEL_ID %DOWNSTREAM_SESSION_ID %FLOW_USER_NAME %FLOW_SERVER_NAME %PLUGIN_NAME %UNTUNNELED_IPV6_SRC_ADDR %UNTUNNELED_IPV6_DST_ADDR %NUM_PKTS_TTL_EQ_1 %NUM_PKTS_TTL_2_5 %NUM_PKTS_TTL_5_32 %NUM_PKTS_TTL_32_64 %NUM_PKTS_TTL_64_96 %NUM_PKTS_TTL_96_128 %NUM_PKTS_TTL_128_160 %NUM_PKTS_TTL_160_192 %NUM_PKTS_TTL_192_224 %NUM_PKTS_TTL_224_255 %IN_SRC_OSI_SAP %OUT_DST_OSI_SAP %DURATION_IN %DURATION_OUT %TCP_WIN_MIN_IN %TCP_WIN_MAX_IN %TCP_WIN_MSS_IN %TCP_WIN_SCALE_IN %TCP_WIN_MIN_OUT %TCP_WIN_MAX_OUT %TCP_WIN_MSS_OUT %TCP_WIN_SCALE_OUT %PAYLOAD_HASH %SRC_AS_MAP %DST_AS_MAP %SRC_AS_PATH_1 %SRC_AS_PATH_2 %SRC_AS_PATH_3 %SRC_AS_PATH_4 %SRC_AS_PATH_5 %SRC_AS_PATH_6 %SRC_AS_PATH_7 %SRC_AS_PATH_8 %SRC_AS_PATH_9 %SRC_AS_PATH_10 %DST_AS_PATH_1 %DST_AS_PATH_2 %DST_AS_PATH_3 %DST_AS_PATH_4 %DST_AS_PATH_5 %DST_AS_PATH_6 %DST_AS_PATH_7 %DST_AS_PATH_8 %DST_AS_PATH_9 %DST_AS_PATH_10 %DHCP_CLIENT_MAC %DHCP_CLIENT_IP %DHCP_CLIENT_NAME %DHCP_REMOTE_ID %DHCP_SUBSCRIBER_ID %DHCP_MESSAGE_TYPE %DIAMETER_REQ_MSG_TYPE %DIAMETER_RSP_MSG_TYPE %DIAMETER_REQ_ORIGIN_HOST %DIAMETER_RSP_ORIGIN_HOST %DIAMETER_REQ_USER_NAME %DIAMETER_RSP_RESULT_CODE %DIAMETER_EXP_RES_VENDOR_ID %DIAMETER_EXP_RES_RESULT_CODE %DIAMETER_HOP_BY_HOP_ID %DNS_QUERY %DNS_QUERY_ID %DNS_QUERY_TYPE %DNS_RET_CODE %DNS_NUM_ANSWERS %DNS_TTL_ANSWER %DNS_RESPONSE %FTP_LOGIN %FTP_PASSWORD %FTP_COMMAND %FTP_COMMAND_RET_CODE %HTTP_URL %HTTP_METHOD %HTTP_RET_CODE %HTTP_REFERER %HTTP_UA %HTTP_MIME %HTTP_HOST %HTTP_SITE %IMAP_LOGIN %MYSQL_SERVER_VERSION %MYSQL_USERNAME %MYSQL_DB %MYSQL_QUERY %MYSQL_RESPONSE %MYSQL_APPL_LATENCY_USEC %NETBIOS_QUERY_NAME %NETBIOS_QUERY_TYPE %NETBIOS_QUERY_RSP %ORACLE_USERNAME %ORACLE_QUERY %ORACLE_RSP_CODE %ORACLE_RSP_STRING %ORACLE_QUERY_DURATION %POP_USER %SRC_PROC_PID %SRC_PROC_NAME %SRC_PROC_UID %SRC_PROC_USER_NAME %SRC_FATHER_PROC_PID %SRC_FATHER_PROC_NAME %SRC_PROC_ACTUAL_MEMORY %SRC_PROC_PEAK_MEMORY %SRC_PROC_AVERAGE_CPU_LOAD %SRC_PROC_NUM_PAGE_FAULTS %SRC_PROC_PCTG_IOWAIT %DST_PROC_PID %DST_PROC_NAME %DST_PROC_UID %DST_PROC_USER_NAME %DST_FATHER_PROC_PID %DST_FATHER_PROC_NAME %DST_PROC_ACTUAL_MEMORY %DST_PROC_PEAK_MEMORY %DST_PROC_AVERAGE_CPU_LOAD %DST_PROC_NUM_PAGE_FAULTS %DST_PROC_PCTG_IOWAIT %RADIUS_REQ_MSG_TYPE %RADIUS_RSP_MSG_TYPE %RADIUS_USER_NAME %RADIUS_CALLING_STATION_ID %RADIUS_CALLED_STATION_ID %RADIUS_NAS_IP_ADDR %RADIUS_NAS_IDENTIFIER %RADIUS_USER_IMSI %RADIUS_USER_IMEI %RADIUS_FRAMED_IP_ADDR %RADIUS_ACCT_SESSION_ID %RADIUS_ACCT_STATUS_TYPE %RADIUS_ACCT_IN_OCTETS %RADIUS_ACCT_OUT_OCTETS %RADIUS_ACCT_IN_PKTS %RADIUS_ACCT_OUT_PKTS %RTP_SSRC %RTP_FIRST_SEQ %RTP_FIRST_TS %RTP_LAST_SEQ %RTP_LAST_TS %RTP_IN_JITTER %RTP_OUT_JITTER %RTP_IN_PKT_LOST %RTP_OUT_PKT_LOST %RTP_IN_PKT_DROP %RTP_OUT_PKT_DROP %RTP_IN_PAYLOAD_TYPE %RTP_OUT_PAYLOAD_TYPE %RTP_IN_MAX_DELTA %RTP_OUT_MAX_DELTA %RTP_SIP_CALL_ID %RTP_MOS %RTP_IN_MOS %RTP_OUT_MOS %RTP_R_FACTOR %RTP_IN_R_FACTOR %RTP_OUT_R_FACTOR %RTP_IN_TRANSIT %RTP_OUT_TRANSIT %RTP_RTT %RTP_DTMF_TONES %SIP_CALL_ID %SIP_CALLING_PARTY %SIP_CALLED_PARTY %SIP_RTP_CODECS %SIP_INVITE_TIME %SIP_TRYING_TIME %SIP_RINGING_TIME %SIP_INVITE_OK_TIME %SIP_INVITE_FAILURE_TIME %SIP_BYE_TIME %SIP_BYE_OK_TIME %SIP_CANCEL_TIME %SIP_CANCEL_OK_TIME %SIP_RTP_IPV4_SRC_ADDR %SIP_RTP_L4_SRC_PORT %SIP_RTP_IPV4_DST_ADDR %SIP_RTP_L4_DST_PORT %SIP_RESPONSE_CODE %SIP_REASON_CAUSE %SIP_C_IP %SIP_CALL_STATE %SMTP_MAIL_FROM %SMTP_RCPT_TO %SSDP_HOST %SSDP_USN"
-U=888
-n=none
-i=nt:stream1
-t=60
-l=60
--discard-unknown-flows=mode:0
--biflows-export-policy=0
--dont-drop-privileges
--kafka="10.xxx.xx.xx:90923,10.xxx.xx.xx:90923,10.xxx.xx.xx:90923;NTOP-Incoming" --kafka-conf="security.protocol=ssl"
--kafka-conf="ssl.ca.location=/home/nbox/trustkey.pem
the default librdkafka version shipped with ubuntu16 doesn't have support for SSL so it ignores SSL-related configuration options (reference: https://github.com/edenhill/librdkafka/issues/896#issuecomment-259537327):
simone@devel:~/nProbe$ sudo apt-cache show librdkafka1
Package: librdkafka1
Priority: optional
Section: universe/libs
Installed-Size: 221
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Original-Maintainer: Faidon Liambotis <paravoid@debian.org>
Architecture: amd64
Source: librdkafka
Version: 0.8.6-1.1
In order to enable SSL support you need version 0.9.x.
Personally, to make it work with SSL, I've cloned and compiled librdkafka from sources (https://github.com/edenhill/librdkafka), and then told nProbe to use the manually compiled version.
As you can see from the following output, SSL option is now properly recognized.
simone@devel:~/nProbe$ LD_LIBRARY_PATH=/home/simone/librdkafka/src/ ./nprobe -i none -n none --collector-port 2055 --kafka "192.168.2.129:9092;test7;none;0" --disable-cache --kafka-conf debug=msg --kafka-conf queue.buffering.max.ms=1000 --kafka-conf topic.auto.commit.interval.ms=2000 --kafka-conf security.protocol=ssl
29/Jan/2019 10:22:48 [plugin.c:187] Loading 25 plugins [.so] from ./plugins
29/Jan/2019 10:22:48 [nprobe.c:6107] WARNING: The output interfaceId is set to 0: did you forget to use -Q perhaps ?
29/Jan/2019 10:22:48 [nprobe.c:6110] WARNING: The input interfaceId is set to 0: did you forget to use -u perhaps ?
29/Jan/2019 10:22:48 [nprobe.c:6197] Welcome to nProbe Pro v.8.7.190116 ($Revision: 6369 $) for x86_64-pc-linux-gnu with native PF_RING acceleration
29/Jan/2019 10:22:48 [nprobe.c:6207] Running on Ubuntu 16.04.5 LTS
29/Jan/2019 10:22:48 [nprobe.c:6285] Sample rate [packet: 1][flow collection/export: 1/1]
29/Jan/2019 10:22:48 [exportPlugin.c:719] Kafka property "debug" set to "msg"
29/Jan/2019 10:22:48 [exportPlugin.c:719] Kafka property "queue.buffering.max.ms" set to "1000"
29/Jan/2019 10:22:48 [exportPlugin.c:719] Kafka property "topic.auto.commit.interval.ms" set to "2000"
29/Jan/2019 10:22:48 [exportPlugin.c:719] Kafka property "security.protocol" set to "ssl"
You can also install the compiled librdkafka system-wide so you don't have to specify the LD_LIBRARY_PATH. Fundamental is to use a version 0.9.x.
Solution given. Closing.
We were trying to enable SSL on kafka and were using the documentation at this url https://www.ntop.org/guides/nProbe/case_study/exporting_to_kafka.html
but seems like the kafka config switches are not working for us somehow. can you please look into this urgently? The setup is now in production and we are stuck with the boxes not pushing data over SSL.
Here is a sample config that we were using and the output error message is in the screenshot.
--kafka-conf="ssl.ca.location=/home/nbox/trustkey.pem" --kafka-config="security.protocol=ssl"
The error we are seeing is this.
image.png
We, in fact, tried with a couple of switches and we are invariably getting the same error saying
ERROR: Unable to set Kafka property "": [No such configuration property: ""]
Regards, Anindya