Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

As of February 2016, opFlow is distributed in a self-extracting download format that simplifies the installation process quite a bit. More information on running the installer can be found HERE: The Opmantek FirstWave Installer

Transfer the opFlow installer onto the server in question, either by direct download from the FirstWave website, or from your desktop with scp or sftp or or a similar file transfer tool.

Make a record of where you put the tarball (root's home directory or /tmp are good locations).

  • Start the interactive installer and follow its instructions:

    Code Block
    sudo sh ./opFlow-Linux-x86_64-4.0.2.run
    
    ++++++++++++++++++++++++++++++++++++++++++++++++++++++
    opFlow (4.0.2) Installation script
    ++++++++++++++++++++++++++++++++++++++++++++++++++++++
    
    This installer will install opFlow into /usr/local/omk.
    To select a different installation location please rerun the 
    installer with the -t option.
    ...


  • The installer will interactively guide you through the steps of installing opFlow. Please make sure to read the on-screen prompts carefully.
  • When the installer finishes, opFlow is installed into /usr/local/omk, and the default configuration files are in /usr/local/omk/conf, ready for your initial config adjustments.
  • A detailed log of the installation process is saved as /usr/local/omk/install.log, and subsequent upgrades or installations of other FirstWave products will add to that logfilelog file.
  • For detailed information about the interactive installer please check the Opmantek Installer FirstWave installer page.

Enter License

If you do not

...

already own a license for opFlow 4.0 you will need to obtain one.

...

Initial Configuration

After installation you may need/want to change the directories that flows are stored in, the ports the flows are coming in on, etc.  Please read the sections below for more.

...

On most platforms nfdump uses the classic init script /etc/init.d/nfdump, normally accessed via the service helper, e.g. service nfdump stop or start.

The init script contains defaults for the most essential options for the nfdump/nfcapd programs.

...

Code Block
# best way to configure these is via /etc/default/nfdump or /etc/sysconfig/nfdump,
# DATA_BASE_DIR needs to be the same as "<opflow_dir>" in opCommon.json
DATA_BASE_DIR="/var/cach/nfdump"
DATA_ROTATE_INTERVAL=300
NETFLOW_PORT=2055
PIDFILE=/var/run/$NAME.pid

When that 's  is done, you need to restart the nfdump service to activate your configuration: sudo service nfdump restart.

Additional required steps

...

if your OS is Debian or Ubuntu, and you are using systemd

...

The most recent nfdump packages in Debian come with a problematic systemd service file (see bug Debian Bug 843602) which completely ignores /etc/default/nfdump.

Until that is resolved, we recommend that you disable the nfdump systemd service and have the system fall back to using sysv SysV init scripts, combined with the nfdump init script that was shipped with opFlow (which is available as /usr/local/omk/install/nfdump.init.d).

...

Code Block
ps ax|fgrep nfcapd
# good: that one honours custom settings as it should
1583 ?        S      0:47 /usr/bin/nfcapd -D -T all -l /data/opflow -t 120 -P /var/run/nfcapd.pid -p 12345
# BAD: that's an nfcapd with undesireable hardcoded arguments
1257 ?        S      0:00 /usr/bin/nfcapd -D -l /var/cache/nfdump -P /var/run/nfcapd.pid -p 2055

The forced switch to SysV init script can be made  by running the following commands as root (ie. under sudo bash or the like):

...

opFlow attempts to resolve all ip address IP addresses so DNS settings must be correct. Be sure to verify that DNS settings are appropriate:

...

If you have very large numbers of distinct IP addresses in your flows you should DISABLE DNS lookup, change ':

Change "opflow_resolve_endpoint_dns' => 'true'" : "true",  to false in false in /usr/local/omk/conf/opCommon.nmis json to speed up performance.  Each  

Each of the opflow opFlow processes will have to wait for each of the DNS lookups which means you will have a large number processes waiting for DNS to return information.  This This is especially true on internet traffic as resolution will require a PTR lookup through to the SOA for that IP which could take a while.

...