-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathINSTALL.centos
218 lines (177 loc) · 6.79 KB
/
INSTALL.centos
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
# 2013-04-10
#
# This has been tested on CentOS 6.3 barebones server build.
# It should work well on most RHEL or CentOS OS's.
#
# Note: even though this install script looks like it could do a full install in one
# swoop, there is no error checking! You should be running these commands one-at-a-time
# or in small batches.
####### installation ########
#
# If you haven't already, gunzip and untar the distribution and change into its root directory
#
cd ~
gunzip -c wvnetflow-1.07.tar.gz | tar -xf -
cd ~/wvnetflow-1.07
#
# Install prerequisite modules with YUM
#
yum --assumeyes install rsyslog gcc byacc libtool make patch zlib-devel httpd rrdtool-perl perl-GD perl-Net-DNS
#
# Install cpanminus and needed Perl modules
#
wget -O - http://cpanmin.us | perl - --self-upgrade
cpanm Net::SNMP Spreadsheet::WriteExcel Net::Patricia
#
# Install the flowd collector.
# Webview uses a fork of the flowd source with improvements for logging and sequence number handling
# (see http://code.google.com/r/cweinhold-flowd-sequence for more information).
#
cd ~/wvnetflow-1.07
wget http://iweb.dl.sourceforge.net/project/wvnetflow/flowd-sequence/cweinhold-flowd-sequence.tar.gz
gunzip -c cweinhold-flowd-sequence.tar.gz | tar -xf -
cd cweinhold-flowd-sequence
./configure
make install
mkdir -p /var/empty/dev
groupadd _flowd
useradd -g _flowd -c "flowd privsep" -d /var/empty _flowd
#
# Install flow-tools and Cflow.pm.
# This requires building from the flow-tools fork at https://code.google.com/p/flow-tools/.
# (the relative directory structure for the next few steps is very important!)
#
cd ~/wvnetflow-1.07
wget https://flow-tools.googlecode.com/files/flow-tools-0.68.5.1.tar.bz2
bzcat flow-tools-0.68.5.1.tar.bz2 | tar -xf -
cd flow-tools-0.68.5.1/
patch -p1 <../optional-accessories/flow-tools-patches/patch.flow-tools.scan-and-hash
CC='gcc -fPIC' ./configure
make
make install
# (on 32-bit systems, remove the "-fPIC" option above)
cd lib
ln -s /usr/local/flow-tools/lib/libft.a libft.a
cd ../contrib
wget http://net.doit.wisc.edu/~plonka/Cflow/Cflow-1.053.tar.gz
gunzip -c Cflow-1.053.tar.gz | tar -xf -
cd Cflow-1.053
perl Makefile.PL
make
make test
make install
# (difficulties with this last chunk? see https://code.google.com/p/flow-tools/issues/detail?id=1)
#
# Set up rsyslogd -- first, add socket listener for flowd chroot log file:
#
sed -i.bak -e '/GLOBAL DIRECTIVES/i $AddUnixListenSocket /var/empty/dev/log\n' /etc/rsyslog.conf
#
# Set up rsyslogd -- second, add a /etc/rsyslog.d conf file sending flowd data to /var/log/flowd
#
cat <<EOT >/etc/rsyslog.d/40-flowd.conf
# set file permissions
\$umask 0000
\$FileCreateMode 0644
# log daemon traffic from flowd to its own file
:programname, isequal, "flowd" /var/log/flowd
:programname, isequal, "flowd" ~
EOT
#
# Set up rsyslogd -- third, change selinux settings for the rsyslog init script (or else it won't be able to watch the flowd log socket)
#
chcon -t etc_t /etc/init.d/rsyslog
#
# Set up rsyslogd -- lastly, restart the service
#
service rsyslog restart
#
# create directories and install files
#
cd ~/wvnetflow-1.07
mkdir -p /opt/netflow/tmp /opt/netflow/data /opt/netflow/cache /opt/netflow/capture /usr/local/webview
cp -Rp flowage www utils /usr/local/webview
cp etc/webview.conf /etc
chmod 777 /usr/local/webview/www/flow/graphs
#
# set selinux permissions for CGI scripts
#
chcon -t httpd_sys_script_exec_t /usr/local/webview/www/flow/*.cgi
#
# set up flowd init script
#
cp etc/flowd-2055.conf /usr/local/etc/
cp etc/init.d/flowd-centos /etc/init.d/flowd
chmod 755 /etc/init.d/flowd
ln -s /etc/init.d/flowd /etc/init.d/flowd-2055
chkconfig --add flowd-2055
service flowd-2055 start
# (Note that multiple flowd init scripts and config files can coexist. The
# "-number" is the port number of the listener. It's good form to use a different
# listener port for each type of collection -- e.g., MPLS WAN routers might use
# port 2055, while outside internet routers could use 2056 and data center
# switches could use 2057).
#
# set up iptables to allow incoming web (tcp 80) and netflow (udp 2055)
#
iptables -I INPUT -p udp --dport 2055 -j ACCEPT
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
service iptables save
#
# modify crontab
#
crontab -l > /tmp/newcron
cat <<EOT >>/tmp/newcron
# every hour, keep the capture directory within bounds. This script logs to /var/log/flow-expire.log
0 * * * * /usr/local/webview/utils/flow-expire-perl -E 10G -e 9000 -w /opt/netflow/capture/2055
# every 5 minutes, run flowd2ft to convert flowd capture into flow-tools format in the capture directory
*/5 * * * * /usr/local/webview/utils/flowd2ft 2055 >> /var/log/flowd2ft-2055.log 2>&1
# run flowage.pl every five minutes
# DISABLED RIGHT NOW; ENABLE LATER
#*/5 * * * * perl /usr/local/webview/flowage/flowage.pl > /tmp/flowage.stdout 2> /tmp/flowage.stderr
# expire exporter summary files after two weeks
0 0 * * * find /opt/netflow/capture -name 'summary-*' -mtime +14 -exec rm -f {} \;
# expire unused RRD files after 30 days
0 2 * * * find /opt/netflow/capture -name '*.rrd' -mtime +30 -exec rm -f {} \;
15 2 * * * find /opt/netflow/capture -depth -type d -empty -exec rmdir {} \;
# every 15 minutes, run monFlows.pl to check on the health of the flowage processes
# DISABLED RIGHT NOW; ENABLE LATER
#*/15 * * * * /usr/local/webview/flowage/monitor/monFlows.pl >> /var/log/monFlows.log 2>&1
# every monday, archive the various log files (you can instead use logrotate
0 0 1 * * /usr/local/bin/sudo mv -f /var/log/flow-expire.log /var/log/flow-expire.old
0 0 1 * * /usr/local/bin/sudo mv -f /var/log/flowd2ft-2055.log /var/log/flowd2ft-2055.old
0 0 1 * * /usr/local/bin/sudo mv -f /var/log/monFlows.log /var/log/monFlows.old
EOT
crontab /tmp/newcron
#
# set up web server
#
sed -i.bak -e'/UserDir: The name/ i\
Alias /webview "/usr/local/webview/www"\
\
<Directory /usr/local/webview/www>\
Options Indexes Includes FollowSymLinks ExecCGI\
order allow,deny\
SetEnv no-gzip 1\
allow from all\
</Directory>\
\
AddHandler cgi-script .cgi\
' /etc/httpd/conf/httpd.conf
service httpd restart
####### validation steps ########
# check if flowd is running
ps -fC flowd
# check that flows are being received
ls -lR /dev/shm/
# check that flow files are being moved to the capture directory
ls -lR /opt/netflow/capture/
# view iptables rule list -- make sure port 2055 is seeing traffic
iptables -L INPUT -v
# make sure web server is running
service httpd status
# once you're sure you have flow data in the capture directory, run one of the web scripts
wget -O - 'http://127.0.0.1/webview/flow/adhoc.cgi?quiet=1&test=1&output=ascii'
# if that looks works (you see some IP addresses in the output), run flowage once from the CLI
/usr/local/webview/flowage/flowage.pl
# if that looks good (you see flow files being processed and rrd files be created), then uncomment
# the */5 flowage crontab entry and you're all set!