Font size: +
  Print

OpenWrt NetFlow and EventLog configuration

310 Hits
openwrt

 The OpenWrt Project is a Linux operating system that targets embedded devices. Instead of static firmware images, OpenWrt provides a filesystem with a package manager, similar to regular Linux systems. OpenWrt now supports numerous architectures, so you can install it on pretty much anything, even on hypervisors.

NetFlow configuration

For the NetFlow configuration, we will use softflowd. You can install it via GUI or by typing opkg install softflowd. Everything else is done in the terminal. The settings for softflowd are located in /etc/config/softflowd file. Here is an example:

Let's go through the most important parameters:

  • Enabled means that this interface is enabled for sending NetFlow data.
  • Interface is the one interface whose data will be sent. We are using specific notation 2:eth0 in this case because ifIndex of the eth0 interface is 2 and we want to be able to resolve interface names through discovery. You can find out the ifIndex of your interfaces by typing IP. The number before the interface name is the index number of the interface.
  • Host and port are different from case to case, but the export version can be 5,9 or IPFIX(10). 
  • There are numerous options when it comes to tracking_level, however we usually leave it as full
  • Sampling rate can be set as same as in the case of sFlow, whereas if we want to collect all the data we leave it as 1.
If you want to monitor more interfaces, add the abovementioned lines in /etc/conf/softflowd and modify the option interface.
After setting everything up, don't forget to restart softflowd with /etc/init.d/softflowd restart. You should soon see data in NetVizura.

Moreover, if we want to resolve interface names via SNMP we have two options: to install snmpd or lighter mini_snmpd. In the case of mini_snmpd, you need to edit /etc/config/mini_snmpd file and maybe configure listen_interface and enabled options. And don't forget to set community to something other then public, just in case. Restart the service with /etc/init.d/mini_snmpd restart. The interface and system discoverability should work now.


EventLog configuration

Syslog export need to be done in CLI, similar to the NetFlow one. In file /etc/config/system in the system suboption we need to add three lines:

Afterward, syslog messages should start flowing to NetVizura Eventlog Analyzer.

Tags:
netflow netflow analyzer network monitoring bandwidth monitoring elasticsearch eventlog eventlog analyzer alarm syslog
Sophos Firewall NetFlow and EventLog configuration

About the author

Nenad Spasic

Nenad Spasic

Subscribe to updates from author Unsubscribe to updates from author Nenad Spasic

In corporate IT for 10 years. Oracle Linux Sertified and Cisco Certified Network Associate (CCNA) certified. Always interested in new technologies and optimizing older ones, until they shine. Loves community and this is his way of sharing with everyone.

Author's recent posts
More posts from author

Related Posts

Contact

Mailing and Visiting Address:
Soneco d.o.o.
Makenzijeva 24/VI, 11000 Belgrade, Serbia
Phone: +381.11.6356319
Fax: +381.11.2455210
sales@netvizura.com | support@netvizura.com

CONNECT WITH US:

linkedin facebook facebook