Font size: +

OpenWrt NetFlow and EventLog configuration


 The OpenWrt Project is a Linux operating system that targets embedded devices. Instead of static firmware images, OpenWrt provides a filesystem with a package manager, similar to regular Linux systems. OpenWrt now supports numerous architectures, so you can install it on pretty much anything, even on hypervisors.

NetFlow configuration

For the NetFlow configuration, we will use softflowd. You can install it via GUI or by typing opkg install softflowd. Everything else is done in the terminal. The settings for softflowd are located in /etc/config/softflowd file. Here is an example:

Let's go through the most important parameters:

  • Enabled means that this interface is enabled for sending NetFlow data.
  • Interface is the one interface whose data will be sent. We are using specific notation 2:eth0 in this case because ifIndex of the eth0 interface is 2 and we want to be able to resolve interface names through discovery. You can find out the ifIndex of your interfaces by typing IP. The number before the interface name is the index number of the interface.
  • Host and port are different from case to case, but the export version can be 5,9 or IPFIX(10). 
  • There are numerous options when it comes to tracking_level, however we usually leave it as full
  • Sampling rate can be set as same as in the case of sFlow, whereas if we want to collect all the data we leave it as 1.
If you want to monitor more interfaces, add the abovementioned lines in /etc/conf/softflowd and modify the option interface.
After setting everything up, don't forget to restart softflowd with /etc/init.d/softflowd restart. You should soon see data in NetVizura.

Moreover, if we want to resolve interface names via SNMP we have two options: to install snmpd or lighter mini_snmpd. In the case of mini_snmpd, you need to edit /etc/config/mini_snmpd file and maybe configure listen_interface and enabled options. And don't forget to set community to something other then public, just in case. Restart the service with /etc/init.d/mini_snmpd restart. The interface and system discoverability should work now.

EventLog configuration

Syslog export need to be done in CLI, similar to the NetFlow one. In file /etc/config/system in the system suboption we need to add three lines:

Afterward, syslog messages should start flowing to NetVizura Eventlog Analyzer.

VMware NetFlow and EventLog configuration
Sophos Firewall NetFlow and EventLog configuration

Related Posts


Mailing and Visiting Address:
Soneco d.o.o.
Makenzijeva 24/VI, 11000 Belgrade, Serbia
Phone: +381.11.6356319
Fax: +381.11.2455210 |


linkedin facebook facebook