09.12.2017

FastNetMon cookbook

Introduction

In this document, you could find number of different useful tips about FastNetMon Advanced.

Configure FastNetMon to use external InfluxDB instance

Configure FastNetMon to send logs to remote syslog server

Upgrade FastNetMon to next stable release

And then you should apply configuration changes:

How to login into MongoDB?

How could I backup MongoDB?

How could I import backup?

Be careful! This command will overwrite current configuration with data from backup!

And ask FastNetMon to re-read new configuration:

How could I use custom host/port in fcli?

If you use not standard port and host for API you could specify them using environment variables:

Do you have replacement tool for fastnetmon_client?

You could create script with name fastnetmon_client.sh and following content:

Then, set executable flag for it:

And run it using watch command:

I want to use custom connection details for Mongo DB.

You could create special file for fcli and fastnetmon advanced core to specify custom connection details:

And put following:

I have very big number of networks and do not want to specify them manually

You could use Radb data for this task. You could use whois tool and make following query for 2 byte (16 bit) ASN numbers:

For 32 bit (4 byte ) ASN you could use tool to convert them into two 16 bit numbers delimited by dot: http://submit.apnic.net/cgi-bin/convert-asn.pl

Then you could use following syntax:

Then you could use aggregate tool for aggregation. It’s available in Ubuntu repositories:

How to enable ASN lookups for traffic DB?

Run this tool and fill dictionaries for ASN (please be prepared to wait 5-10 minutes):

And then reload traffic_db daemon:

Then you could check log file /var/log/fastnetmon/traffic_db.log  for line: “I found that you have ASN database. I will use it”

Could I use nfcapd or other Netflow forwarders?

Yes, you could. But all your devices should have unique source_id. Because we use agent_ip + source_id as unique identifier for templates. If you use Netflow forwarders/aggregators they replace agent’s IP by forwarder’s IP and you could hit templates conflict. Result of this conflict could be very dangerous: completely incorrect traffic processing or tool’s failures in some rare cases.

How could I select top K hosts by traffic in InfluxDB?

How could I select top K network by traffic amount in InfluxDB?

How to create host group?

To create new group:

Enable ban actions for my_new_group host group:

And then add required networks:

And finally commit changes:

I could not find traffic data in InfluxDB for particular hosts

First of all, please check that FNM sees traffic for this host. If a host has zero traffic we will not push data into InfluxDB.

If you have traffic then please check InfluxDB logs /var/log/influxdb/influxd.log for record like “WARN: 100% of max-values-per-tag limit exceeded: (100096/100000), db=fastnetmon shard=7 measurement=hosts_traffic tag=host”.

This issue could be fixed by increasing max-values-per-tag value in /etc/influxdb/influxdb.conf and InfluxDB restart:

How flow_spec_execute_validation works?

Validation includes following steps:

  • Source prefix should be exactly /32
  • Destination prefix should be exactly /32
  • Source prefix should belong to networks_list
  • Destination prefix should belong to networks_list

You could disable it this way:

How I could remove all networks from networks_list?

How could I remove all host groups?