The OpenWrt Project is a Linux operating system that targets embedded devices. Instead of static firmware images, OpenWrt provides a filesystem with a package manager, similar to regular Linux systems. OpenWrt now supports numerous architectures, so you can install it on pretty much anything, even on hypervisors.

NetFlow configuration

For the NetFlow configuration, we will use softflowd. You can install it via GUI or by typing opkg install softflowd. Everything else is done in the terminal. The settings for softflowd are located in /etc/config/softflowd file. Here is an example:

config softflowd
  option enabled'1'
  option interface'2:eth0'
  option pcap_file''
  option timeout''
  option max_flows'8192'
  option host_port''
  option pid_file'/var/run/'
  option control_socket '/var/run/softflowd.ctl'
  option export_version '9'
  option hoplimit''
  option tracking_level 'full'
  option track_ipv6'1'
  option sampling_rate'1'

Let's go through the most important parameters:

  • Enabled means that this interface is enabled for sending NetFlow data.
  • Interface is the one interface whose data will be sent. We are using specific notation 2:eth0 in this case because ifIndex of the eth0 interface is 2 and we want to be able to resolve interface names through discovery. You can find out the ifIndex of your interfaces by typing IP. The number before the interface name is the index number of the interface.
  • Host and port are different from case to case, but the export version can be 5,9 or IPFIX(10).
  • There are numerous options when it comes to tracking_level, however we usually leave it as full.
  • Sampling rate can be set as same as in the case of sFlow, whereas if we want to collect all the data we leave it as 1.

If you want to monitor more interfaces, add the abovementioned lines in /etc/conf/softflowd and modify the option interface.After setting everything up, don't forget to restart softflowd with /etc/init.d/softflowd restart. You should soon see data in NetVizura.

Moreover, if we want to resolve interface names via SNMP we have two options: to install snmpd or lighter mini_snmpd. In the case of mini_snmpd, you need to edit /etc/config/mini_snmpd file and maybe configure listen_interface and enabled options. And don't forget to set community to something other then public, just in case. Restart the service with /etc/init.d/mini_snmpd restart. The interface and system discoverability should work now.

EventLog configuration

Syslog export need to be done in CLI, similar to the NetFlow one. In file /etc/config/system in the system suboption we need to add three lines:

option log_ip
option log_port 33514
option log_proto udp

Afterward, syslog messages should start flowing to NetVizura Eventlog Analyzer.