Before You Begin

Prerequisites

• NMIS installed on the same server that opFlow is being installed (NMIS version >=9).
• The individual performing this installation has a small bit of Linux experience.

• Root access is available.

• Internet access is required for installing any missing but required software packages.
• All licenses are added/updated at https://<hostname>/omk/opLicense .

Preparation

• If you do not yet have a working installation of NMIS in your server, please follow the procedure in the NMIS 9 Installation Guide
• Download opFlow from the FirstWave website.

Installation Steps

As of February 2016, opFlow is distributed in a self-extracting download format that simplifies the installation process quite a bit. More information on running the installer can be found HERE: The FirstWave Installer

Transfer the opFlow installer onto the server in question, either by direct download from the FirstWave website, or from your desktop with scp or sftp or a similar file transfer tool.

Make a record of where you put the tarball (root's home directory or /tmp are good locations).

• Start the interactive installer and follow its instructions:

  sudo sh opFlow-Linux-x86_64-4.0.2.run
  
  ++++++++++++++++++++++++++++++++++++++++++++++++++++++
  opFlow (4.0.2) Installation script
  ++++++++++++++++++++++++++++++++++++++++++++++++++++++
  
  This installer will install opFlow into /usr/local/omk.
  To select a different installation location please rerun the 
  installer with the -t option.
  ...

• The installer will interactively guide you through the steps of installing opFlow. Please make sure to read the on-screen prompts carefully.
• When the installer finishes, opFlow is installed into /usr/local/omk, and the default configuration files are in /usr/local/omk/conf, ready for your initial config adjustments.
• A detailed log of the installation process is saved as /usr/local/omk/install.log, and subsequent upgrades or installations of other FirstWave products will add to that log file.
• For detailed information about the interactive installer please check the FirstWave installer page.

Enter License

If you do not already own a license for opFlow 4.0 you will need to obtain one.

Initial Configuration

After installation you may need/want to change the directories that flows are stored in, the ports the flows are coming in on, etc.  Please read the sections below for more.

nfdump

On most platforms nfdump uses the classic init script /etc/init.d/nfdump, normally accessed via the service helper, e.g. service nfdump stop or start.

The init script contains defaults for the most essential options for the nfdump/nfcapd programs.

It is recommended that you do not modify this init script, as upgraded nfdump packages may very well replace it.

Instead you should make use of the override file that is appropriate for your platform, and add values  for (only) those options that you want to change.

On CentOS/RedHat, you need to create or modify  /etc/sysconfig/nfdump, on Debian/Ubuntu the correct file is /etc/default/nfdump. Please note that this override file wins over the defaults that the init script sets.

Here is a list of the defaults as provided by the init script:

# best way to configure these is via /etc/default/nfdump or /etc/sysconfig/nfdump,
# DATA_BASE_DIR needs to be the same as "<opflow_dir>" in opCommon.json
DATA_BASE_DIR="/var/cach/nfdump"
DATA_ROTATE_INTERVAL=300
NETFLOW_PORT=2055
PIDFILE=/var/run/$NAME.pid

When that is done, you need to restart the nfdump service to activate your configuration: sudo service nfdump restart.

Additional required steps if your OS is Debian or Ubuntu, and you are using systemd

The most recent nfdump packages in Debian come with a problematic systemd service file (see bug Debian Bug 843602) which completely ignores /etc/default/nfdump.

Until that is resolved, we recommend that you disable the nfdump systemd service and have the system fall back to using SysV init scripts, combined with the nfdump init script that was shipped with opFlow (which is available as /usr/local/omk/install/nfdump.init.d).

A symptom of that issue would be that nfcapd is running with data directory /var/cache/nfdump, is listening on a port that is neither 9995 nor your NETFLOW_PORT from /etc/default/nfdump, does not include the "-T all" argument to enable netflow extensions, and does not include the -t argument for data rotation.

ps ax|fgrep nfcapd
# good: that one honours custom settings as it should
1583 ?        S      0:47 /usr/bin/nfcapd -D -T all -l /data/opflow -t 120 -P /var/run/nfcapd.pid -p 12345
# BAD: that's an nfcapd with undesireable hardcoded arguments
1257 ?        S      0:00 /usr/bin/nfcapd -D -l /var/cache/nfdump -P /var/run/nfcapd.pid -p 2055

The forced switch to SysV init script can be made  by running the following commands as root (ie. under sudo bash or the like):

service nfdump stop
dpkg-divert --rename --divert /lib/systemd/system/nfdump.service.disabled --add /lib/systemd/system/nfdump.service
rm -f /etc/systemd/system/nfdump.service /etc/systemd/system/multi-user.target.wants/nfdump.service
systemctl daemon-reload
cp /usr/local/omk/install/nfdump.init.d /etc/init.d/nfdump
systemctl daemon-reload
# note that this will only work fully if you use the nfdump init script from /usr/local/omk/install/nfdump.init.d!
service nfdump start

opCommon

The following changes can be made in the opCommon configuration file /usr/local/omk/conf/opCommon.json

opflowd/ndfump

It is important that the <opflow_dir> in opCommon.json matches the DATA_BASE_DIR in the nfdump configuration

    '<opflow_dir>' => '/var/cache/nfdump' to match the default shipping config

Restart the daemons

After making changes to the config make sure to restart all opFlow daemons.

service nfdump restart
service omkd restart
service opflowd restart

Configuring your Flow exporters

A basic router configuration guide for exporting flow data is available here.

DNS

opFlow attempts to resolve all IP addresses so DNS settings must be correct. Be sure to verify that DNS settings are appropriate:

cat /etc/resolv.conf
# verify the  listed nameservers and search order works, 
# using dig, nslookup or host

If you have very large numbers of distinct IP addresses in your flows you should DISABLE DNS lookup:

Change "opflow_resolve_endpoint_dns" : "true",  to false in /usr/local/omk/conf/opCommon.json to speed up performance.  

Each of the opFlow processes will have to wait for each of the DNS lookups which means you will have a large number processes waiting for DNS to return information. This is especially true on internet traffic as resolution will require a PTR lookup through to the SOA for that IP which could take a while.