Last active
June 20, 2020 17:53
-
-
Save bugcy013/aee6e9503da43f542b30 to your computer and use it in GitHub Desktop.
pmacct installation with ubuntu 14.04
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Enable RabbitMQ application repository: | |
echo "deb http://www.rabbitmq.com/debian/ testing main" >> /etc/apt/sources.list | |
Add the verification key for the package: | |
curl http://www.rabbitmq.com/rabbitmq-signing-key-public.asc | sudo apt-key add - | |
Update the sources with our new addition from above: | |
apt-get update | |
And finally, download and install RabbitMQ: | |
sudo apt-get install rabbitmq-server | |
In order to manage the maximum amount of connections upon launch, open up and edit the following configuration file using nano: | |
sudo nano /etc/default/rabbitmq-server | |
Uncomment the limit line (i.e. remove #) before saving and exit by pressing CTRL+X followed with Y. | |
To enable RabbitMQ Management Console, run the following: | |
sudo rabbitmq-plugins enable rabbitmq_management | |
Once you've enabled the console, it can be accessed using your favourite web browser by visiting: http://[your droplet's IP]:15672/. | |
The default username and password are both set “guest” for the log in. | |
Note: If you enable this console after running the service, you will need to restart it for the changes to come into effect. See the relevant management section below for your operating system to be able to do it. | |
Download jansson | |
http://www.digip.org/jansson/releases/jansson-2.6.tar.gz | |
untar and ./configure && make && make install | |
RabbitMQ C AMQP client library | |
Download | |
https://github.com/alanxz/rabbitmq-c/releases/download/v0.5.0/rabbitmq-c-0.5.0.tar.gz | |
untar and ./configure && make && make install | |
for GeoIP Support you need to compile geoip-aapi-c | |
https://github.com/maxmind/geoip-api-c/releases/download/v1.6.2/GeoIP-1.6.2.tar.gz | |
untar and ./configure && make && make install | |
./configure --enable-rabbitmq --with-rabbitmq-libs=/usr/local/lib --with-rabbitmq-includes=/usr/local/include/ --enable-jansson --enable-geoip | |
root@HP-ProBook-4430s:~/Downloads/pmacct-1.5.0rc3# ./configure --enable-rabbitmq --with-rabbitmq-libs=/usr/local/lib --with-rabbitmq-includes=/usr/local/include/ --enable-jansson | |
loading cache ./config.cache | |
checking for a BSD compatible install... (cached) /usr/bin/install -c | |
checking whether build environment is sane... yes | |
checking whether make sets ${MAKE}... (cached) yes | |
checking for working aclocal-1.4... missing | |
checking for working autoconf... found | |
checking for working automake-1.4... missing | |
checking for working autoheader... found | |
checking for working makeinfo... missing | |
checking for gcc... (cached) gcc | |
checking whether the C compiler (gcc ) works... yes | |
checking whether the C compiler (gcc ) is a cross-compiler... no | |
checking whether we are using GNU C... (cached) yes | |
checking whether gcc accepts -g... (cached) yes | |
checking OS... Linux | |
checking hardware... x86_64 | |
checking for ranlib... (cached) ranlib | |
checking whether to enable debugging compiler options... no | |
checking whether to relax compiler optimizations... no | |
checking whether to disable shared objects... no | |
checking for dlopen... (cached) no | |
checking for dlopen in -ldl... (cached) yes | |
checking for gmake... (cached) make | |
checking whether make sets ${MAKE}... (cached) yes | |
checking for __progname... yes | |
checking for extra flags needed to export symbols... --export-dynamic | |
checking for static inline... yes | |
checking endianess... little | |
checking unaligned accesses... ok | |
checking whether to enable L2 features... yes | |
checking whether to enable IPv6 code... no | |
checking whether to enable IP prefix labels... checking default locations for pcap.h... found in /usr/include | |
checking default locations for libpcap... no | |
checking for pcap_dispatch in -lpcap... (cached) yes | |
checking for pcap_setnonblock in -lpcap... (cached) yes | |
checking packet capture type... linux | |
checking whether to enable MySQL support... checking how to run the C preprocessor... (cached) gcc -E | |
no | |
checking whether to enable PostgreSQL support... no | |
checking whether to enable MongoDB support... no | |
checking whether to enable SQLite3 support... no | |
checking whether to enable RabbitMQ/AMQP support... yes | |
checking your own RabbitMQ library... ok | |
checking your own RabbitMQ headers... ok | |
checking whether to enable GeoIP support... no | |
checking whether to enable Jansson support... yes | |
checking default locations for Jansson library... found in /usr/local/lib | |
checking default locations for jansson.h... found in /usr/local/include | |
checking for ANSI C header files... (cached) yes | |
checking for sys/wait.h that is POSIX.1 compatible... (cached) yes | |
checking for getopt.h... (cached) yes | |
checking for sys/select.h... (cached) yes | |
checking for sys/time.h... (cached) yes | |
checking for u_int64_t in sys/types.h... yes | |
checking for u_int32_t in sys/types.h... yes | |
checking for u_int16_t in sys/types.h... yes | |
checking for u_int8_t in sys/types.h... yes | |
checking for uint64_t in sys/types.h... no | |
checking for uint32_t in sys/types.h... no | |
checking for uint16_t in sys/types.h... no | |
checking for uint8_t in sys/types.h... no | |
checking whether to enable 64bit counters... yes | |
checking whether to enable multithreading in pmacct... yes | |
checking whether to enable ULOG support... no | |
checking return type of signal handlers... (cached) void | |
checking for strlcpy... (cached) no | |
checking for vsnprintf... (cached) yes | |
checking for setproctitle... (cached) no | |
checking for mallopt... (cached) yes | |
PLATFORM ..... : x86_64 | |
OS ........... : Linux 3.13.0-24-generic (HP-ProBook-4430s) | |
COMPILER ..... : gcc | |
CFLAGS ....... : -O2 -g -O2 -I/usr/local/include -I/usr/local/include | |
LIBS ......... : -lpcap -ldl -L/usr/local/lib -lrabbitmq -L/usr/local/lib -ljansson -lpthread | |
SERVER_LIBS ...: -lnfprobe_plugin -Lnfprobe_plugin/ -lsfprobe_plugin -Lsfprobe_plugin/ -lbgp -Lbgp/ -ltee_plugin -Ltee_plugin/ -lisis -Lisis/ | |
LDFLAGS ...... : -Wl,--export-dynamic | |
Now type 'make' to compile the source code. | |
Are you willing to get in touch with other pmacct users? | |
Join the pmacct mailing-list by sending a message to pmacct-discussion-subscribe@pmacct.net | |
Need for documentation and examples? | |
Read the README file or go to http://wiki.pmacct.net/ | |
creating ./config.status | |
creating Makefile | |
creating src/Makefile | |
creating src/nfprobe_plugin/Makefile | |
creating src/sfprobe_plugin/Makefile | |
creating src/bgp/Makefile | |
creating src/tee_plugin/Makefile | |
creating src/isis/Makefile | |
root@HP-ProBook-4430s:~/Downloads/pmacct-1.5.0rc3# | |
export LD_LIBRARY_PATH=/usr/local/lib:$LD_LIBRARY_PATH | |
Sample configuration writing data to falt_file | |
[/etc]$ cat nfacctd_dhana.conf | |
nfacctd_ip: 192.168.70.54 | |
nfacctd_port: 9998 | |
plugins: print[forensics] | |
aggregate[forensics]: src_host, dst_host, peer_src_ip, peer_dst_ip, in_iface, out_iface, timestamp_start, timestamp_end, src_port, dst_port, proto, tos, src_mask, dst_mask, src_as, dst_as, tcpflags | |
aggregate[int_traffic_matrix]: in_iface, peer_src_ip, peer_dst_ip, peer_dst_as | |
!plugins: print | |
!aggregate[inbound]: dst_host | |
!aggregate[outbound]: src_host | |
debug: true | |
!daemonize: true | |
pidfile: /var/run/nfacctd.pid | |
!print_refresh_time: 900 | |
print_refresh_time: 90 | |
print_history: 15m | |
print_output: json | |
print_output_file: /tmp/file-%Y%m%d-%H%M.txt | |
print_history_roundoff: m | |
for Execution | |
============= | |
nfacctd -f nfacctd_dhana.conf | |
ERROR ( 5m_ipip/amqp ): Connection failed to RabbitMQ: login | |
^CERROR ( 5m_ipip/amqp ): Connection failed to RabbitMQ: login | |
OK: Exiting ... | |
[~]$ cat /etc/nfacctd_amqp.conf | |
nfacctd_ip: 192.168.70.54 | |
nfacctd_port: 9998 | |
plugin_pipe_size: 32576000 | |
plugin_buffer_size: 325760 | |
debug: true | |
daemonize: false | |
nfacctd_disable_checks: true | |
nfacctd_time_new: true | |
! AMQP connection details | |
amqp_host: localhost | |
amqp_user: guest | |
amqp_passwd: guest | |
amqp_exchange: pmacct | |
amqp_routing_key: acct | |
plugins: amqp[5m_ipip] | |
! 5 minutely IP to IP | |
aggregate[5m_ipip]: src_host, dst_host, src_port, dst_port, proto, peer_src_ip | |
amqp_routing_key[5m_ipip]: 5m_ipip | |
amqp_history[5m_ipip]: 5m | |
amqp_time_roundoff[5m_ipip]: m | |
amqp_refresh_time[5m_ipip]: 300 | |
[~]$ | |
ERROR ( 5m_ipip/amqp ): We are missing data. | |
If you see this message once in a while, discard it. Otherwise some solutions follow: | |
- increase shared memory size, 'plugin_pipe_size'; now: '4096000'. | |
- increase buffer size, 'plugin_buffer_size'; now: '888'. | |
- increase system maximum socket size. | |
ERROR ( 5m_ipip/amqp ): We are missing data. | |
If you see this message once in a while, discard it. Otherwise some solutions follow: | |
- increase shared memory size, 'plugin_pipe_size'; now: '4096000'. | |
- increase buffer size, 'plugin_buffer_size'; now: '888'. | |
- increase system maximum socket size. | |
LINKS :: | |
======== | |
http://www.menog.org/presentations/menog-13/203-Lucente_collecting_netflow_with_pmacct_v1.1.pdf | |
https://github.com/Tilka/pmacct/blob/master/CONFIG-KEYS | |
KEY: [ sql_host | mongo_host | amqp_host ] | |
DESC: defines the backend server IP/hostname (default: localhost). | |
KEY: [ sql_user | mongo_user | amqp_user ] | |
DESC: defines the username to use when connecting to the server. In MongoDB, if both | |
mongo_user and mongo_passwd directives are omitted, authentication is disabled; | |
if only one of the two is specified, the other is set to its default value. | |
(default: pmacct). | |
KEY: [ sql_passwd | mongo_passwd | amqp_passwd ] | |
DESC: defines the password to use when connecting to the server.In MongoDB, if both | |
mongo_user and mongo_passwd directives are omitted, authentication is disabled; | |
if only one of the two is specified, the other is set to its default value. | |
(default: arealsmartpwd). | |
KEY: [ sql_refresh_time | print_refresh_time | mongo_refresh_time | amqp_refresh_time ] (-r) | |
DESC: time interval, in seconds, between consecutive executions of the plugin cache scanner. The | |
scanner purges data into the plugin backend. Note: internally all these config directives | |
write to the same variable; when using multiple plugins it is recommended to bind refresh | |
time definitions to specific plugins, ie.: | |
plugins: mysql[x], mongodb[y] | |
sql_refresh_time[x]: 900 | |
mongo_refresh_time[y]: 300 | |
As doing otherwise can originate unexpected behaviours. | |
KEY: [ sql_history | print_history | mongo_history | amqp_history ] | |
VALUES: #[m|h|d|w|M] | |
DESC: enables historical accounting by placing accounted data into configurable time-bins. It | |
will use the 'stamp_inserted' (base time of the time-bin) and 'stamp_updated' (last time | |
the time-bin was touched) fields. The supplied value defines the time slot length during | |
which counters are accumulated. For a nice effect, it's adviceable to pair this directive | |
with 'sql_history_roundoff'. In nfacctd, where a flow can span across multiple time-bins, | |
flow counters are pro-rated (seconds timestamp resolution) over involved time-bins. | |
Note that this value is fully disjoint from the 'sql_refresh_time' directive which sets | |
the time intervals at which data has to be written to the RDBMS instead. The final effect | |
is close to time slots in a RRD file. Examples of valid values are: '5m' - five minutes, | |
'1h' - one hour, '4h' - four hours, '1d' - one day, '1w' - one week, '1M' - one month). | |
KEY: [ sql_history_offset | print_history_offset | mongo_history_offset | amqp_history_offset ] | |
DESC: Sets an offset to timeslots basetime. If history is set to 30 mins (by default creating | |
10:00, 10:30, 11:00, etc. time-bins), with an offset of 900 seconds (so 15 mins) it will | |
create 10:15, 10:45, 11:15, etc. time-bins. It expects a positive value, in seconds. | |
(default: 0) | |
KEY: [ sql_history_roundoff | print_history_roundoff | mongo_history_roundoff | | |
amqp_history_roundoff ] | |
VALUES [m,h,d,w,M] | |
DESC: enables alignment of minutes (m), hours (h), days of month (d), weeks (w) and months (M) | |
in print (to print_refresh_time) and SQL plugins (to sql_history and sql_refresh_time). | |
Suppose you go with 'sql_history: 1h', 'sql_history_roundoff: m' and it's 6:34pm. Rounding | |
off minutes gives you an hourly timeslot (1h) starting at 6:00pm; so, subsequent ones will | |
start at 7:00pm, 8:00pm, etc. Now, you go with 'sql_history: 5m', 'sql_history_roundoff: m' | |
and it's 6:37pm. Rounding off minutes will result in a first slot starting at 6:35pm; next | |
slot will start at 6:40pm, and then every 5 minutes (6:45pm ... 7:00pm, etc.). 'w' and 'd' | |
are mutually exclusive, that is: you can either reset the date to last Monday or reset the | |
date to the first day of the month. | |
KEY: [ sql_cache_entries | print_cache_entries | mongo_cache_entries | amqp_cache_entries ] | |
DESC: SQL and other plugins sport a Plugin Memory Cache (PMC) meant to accumulate bytes/packets | |
counters until next purging event (for further insights take a look to 'sql_refresh_time'). | |
This directive sets the number of PMC buckets. Default value is suitable for most common | |
scenarios, however when facing large-scale networks, it's higly recommended to carefully | |
tune this parameter to improve performances. Use a prime number of buckets. | |
(default: sql_cache_entries: 32771, print_cache_entries: 16411) | |
KEY: amqp_exchange | |
DESC: Name of the AMQP exchange to publish data (default: pmacct). | |
KEY: amqp_exchange_type | |
DESC: Type of the AMQP exchange to publish data. Currently only 'direct' and 'fanout' types are | |
supported. (default: direct). | |
KEY: amqp_routing_key | |
DESC: Name of the AMQP routing key to attach to published data. Dynamic names are supported through | |
the use of variables, which are computed at the moment when data is purged to the backend. The | |
list of supported variables follows (default: acct): | |
$peer_src_ip Value of the peer_src_ip primitive of the record being processed. | |
$pre_tag Value of the tag primitive of the record being processed. | |
$post_tag Configured value of post_tag. | |
KEY: amqp_persistent_msg | |
VALUES: [ true | false ] | |
DESC: Marks messages as persistent so that a queue content does not get lost if RabbitMQ restarts. | |
Note from RabbitMQ docs: "Marking messages as persistent doesn't fully guarantee that a | |
message won't be lost. Although it tells RabbitMQ to save message to the disk, there is | |
still a short time window when RabbitMQ has accepted a message and hasn't saved it yet. | |
Also, RabbitMQ doesn't do fsync(2) for every message -- it may be just saved to cache and | |
not really written to the disk. The persistence guarantees aren't strong, but it is more | |
than enough for our simple task queue.". | |
rabbitmqctl add_vhost statuscheckvhost | |
rabbitmqctl add_user heartbeat alive | |
rabbitmqctl set_permissions -p statuscheckvhost heartbeat ".*" ".*" ".*" | |
rabbitmqctl set_user_tags heartbeat management | |
curl -i -u heartbeat:alive http://127.0.0.1:55672/api/aliveness-test/statuscheckvhost | |
HTTP/1.1 200 OK | |
Server: MochiWeb/1.1 WebMachine/1.9.0 (someone had painted it blue) | |
Date: Thu, 21 Feb 2013 22:20:10 GMT | |
Content-Type: application/json | |
Content-Length: 15 | |
Cache-Control: no-cache | |
{"status":"ok"} | |
Logstash configuration File: | |
[/usr/local/logstash]$ cat conf/shipper_amqp.conf | |
input { | |
rabbitmq { | |
host => "localhost" | |
exchange => "pmacct" | |
key => "5m_ipip" | |
user => "guest" | |
password => "guest" | |
} | |
} | |
output { | |
stdout { codec => rubydebug } | |
} | |
[~/pmacct-1.5.0rc3/examples/amqp]$ cat amqp_receiver.py | |
#!/usr/bin/python | |
# | |
# If missing 'pika' read how to download it at: | |
# http://www.rabbitmq.com/tutorials/tutorial-one-python.html | |
# | |
import pika | |
connection = pika.BlockingConnection(pika.ConnectionParameters( | |
host='localhost')) | |
channel = connection.channel() | |
channel.exchange_declare(exchange='pmacct', type='direct') | |
channel.queue_declare(queue='acct_1') | |
channel.queue_bind(exchange='pmacct', routing_key='5m_ipip', queue='acct_1') | |
print ' [*] Example inspired from: http://www.rabbitmq.com/getstarted.html' | |
print ' [*] Waiting for messages on E=pmacct,direct RK=5m_ipip Q=acct_1 H=localhost. Edit code to change any parameter. To exit press CTRL+C' | |
def callback(ch, method, properties, body): | |
print " [x] Received %r" % (body,) | |
channel.basic_consume(callback, | |
queue='acct_1', | |
no_ack=True) | |
channel.start_consuming() | |
[~/pmacct-1.5.0rc3/examples/amqp]$ | |
ASA(config)# flow-export destination Systems 192.168.70.54 9998 | |
ASA(config)# access-list flow_export_acl permit ip any any | |
ASA(config)# class-map flow_export_class | |
ASA(config-cmap)# match access-list flow_export_acl | |
ASA(config)# policy-map global_policy | |
ASA(config-pmap)# class flow_export_class | |
ASA(config-pmap-c)# flow-export event-type all destination 192.168.70.54 | |
flow-export delay flow-create | |
root@HP-ProBook-4430s:~# cat /etc/pmacctd_print.conf | |
debug: true | |
daemonize: false | |
interface: wlan0 | |
! AMQP connection details | |
amqp_host: localhost | |
amqp_user: guest | |
amqp_passwd: guest | |
amqp_exchange: pmacct | |
!amqp_routing_key: acct | |
aggregate[inbound]: tag,src_host, dst_host, src_port, dst_port, proto | |
aggregate_filter[inbound]: dst net 192.168.0.0/24 | |
aggregate[outbound]: tag,src_host, dst_host, src_port, dst_port, proto | |
aggregate_filter[outbound]: src net 192.168.0.0/24 | |
!networks_file: /etc/pmacct/hosts | |
pre_tag_map: /etc/pmacct/pretag.map | |
plugins: amqp[inbound],amqp[outbound] | |
root@HP-ProBook-4430s:~# pmacctd -f /etc/pmacctd_print.conf | |
root@HP-ProBook-4430s:~# cat /etc/pmacct/hosts | |
192.168.0.0/24 | |
root@HP-ProBook-4430s:~# cat /etc/pmacct/pretag.map | |
id=1 filter='dst net 192.168.0.0/16' | |
id=2 filter='src net 192.168.0.0/16' | |
root@HP-ProBook-4430s:~# | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment