OpenWrt NetFlow and EventLog configuration

 The OpenWrt Project is a Linux operating system that targets embedded devices. Instead of static firmware images, OpenWrt provides a filesystem with a package manager, similar to regular Linux systems. OpenWrt now supports numerous architectures, so you can install it on pretty much anything, even on hypervisors.

NetFlow configuration

For the NetFlow configuration, we will use softflowd. You can install it via GUI or by typing opkg install softflowd. Everything else is done in the terminal. The settings for softflowd are located in /etc/config/softflowd file. Here is an example:

Let's go through the most important parameters:

• Enabled means that this interface is enabled for sending NetFlow data.
• Interface is the one interface whose data will be sent. We are using specific notation 2:eth0 in this case because ifIndex of the eth0 interface is 2 and we want to be able to resolve interface names through discovery. You can find out the ifIndex of your interfaces by typing IP. The number before the interface name is the index number of the interface.
• Host and port are different from case to case, but the export version can be 5,9 or IPFIX(10). 
• There are numerous options when it comes to tracking_level, however we usually leave it as full. 
• Sampling rate can be set as same as in the case of sFlow, whereas if we want to collect all the data we leave it as 1.

Moreover, if we want to resolve interface names via SNMP we have two options: to install snmpd or lighter mini_snmpd. In the case of mini_snmpd, you need to edit /etc/config/mini_snmpd file and maybe configure listen_interface and enabled options. And don't forget to set community to something other then public, just in case. Restart the service with /etc/init.d/mini_snmpd restart. The interface and system discoverability should work now.

Afterward, syslog messages should start flowing to NetVizura Eventlog Analyzer.