Exporting Netflow from Linux with softflowd
NetFlow is an industry standard network protocol for monitoring traffic flows across a network interface. It is used most commonly by devices like firewalls, routers, and switches, but some software packages make it possible to export Netflow data from a server operating system - in this case Linux (with softflowd) - to a Netflow collector (LogicMonitor) for traffic analysis.
Ubuntu
Documentation here:Â http://manpages.ubuntu.com/manpages/xenial/man8/softflowd.8.html
The following assumes you have an Ubuntu device in your portal which you can access with sudoer permissions. It also assumes Netflow has been enabled for the device and the collector in question.
-
Install softflowd:
sudo
Âapt-getÂ
install
Âsoftflowd
-
Â
-
Open  /etc/default/softflowd for editing:
-
sudo
ÂnanoÂ
/etc/default/softflowd
-
Â
-
Set the value for INTERFACE and add the destination ip:port (<collectorIP>:2055) under OPTIONS. Other options are available, check the link above for full documentation.
#
# configuration for softflowd
#
# note: softflowd will not start without an interface configured.
# The interface softflowd listens on. You may also use "any" to listen
# on all interfaces.
INTERFACE=
"eth0"
# Further options for softflowd, see "man softflowd" for details.
# You should at least define a host and a port where the accounting
# datagrams should be sent to, e.g.
# OPTIONS="-n 127.0.0.1:9995"
OPTIONS=
"-n 192.168.170.130:2055"
- Â
-
Save your changes by pressingÂ
Ctrl-O
, then exit nano by pressingÂCtrl-X
. -
Restart softflowd.
sudo
Âservice softflowd restart
-
Â
-
Add a rule to the firewall to allow traffic on 2055.
sudo
Âufw allow 2055
Â
CentOs
This is a bit more work since you can't just install a package; you'll need to download the source and compile.
Most of the information here comes from https://www.scribd.com/doc/199440303/Cacti-Netflow-Collector-Flowview-and-Softflowd
More good info:Â https://thwack.solarwinds.com/thread/59620
-
Check to see if you have the compiler installed.
which
Âgcc
Â
-
If you don't getÂ
/usr/bin/gcc
 as the response, you'll need to install it.sudo
ÂyumÂ
install
Âgcc
-
Â
-
Install libpcap-devel (you'll need this to compile softflowd).
sudo
ÂyumÂ
install
Âlibpcap-devel
-
Â
-
Download the softflowd source.
wget https:
//storage
.googleapis.com
/google-code-archive-downloads/v2/code
.google.com
/softflowd/softflowd-0
.9.9.
tar
.gz
-
Â
-
Make sure you're in the directory where you saved the download, then untar the dowloaded source files.
tar
Â-xzvf softflowd-0.9.9.
tar
.gz
-
Â
-
Switch to the softflowd directory, then run the commands to compile and install it.
cd
Âsoftflowd-0.9.9
.
/configure
make
make
Âinstall
-
Â
-
Now we want to have softflowd start when the system boots. We'll need to add a line to the end ofÂ
/etc/rc.d/rc.local
. Use your device's interface afterÂ-i
 and your collector's IP address afterÂ-n
.
Âsudo
ÂnanoÂ
/etc/rc
.d
/rc
.
local
<add the following line to the end of theÂ
file
>
/usr/local/sbin/softflowd
Â-i eth0 -n 10.13.37.111:2055
Â
-
Save your changes withÂ
Ctrl-O
, exit nano withÂCtrl-X
.
Make sureÂ/etc/rc.d/rc.local
 is executable. -
sudo
Âchmod
Â+xÂ
/etc/rc
.d
/rc
.
local
-
Â
-
Open port 2055 in the firewall so the collector can receive the data.
sudo
Âfirewalld-cmd --zone=public --add-port=2055
/tcp
Â--permanent
- Â
- Reboot the machine for all changes to take effect.
*Original guide courtesy of @Kurt Huffman at LogicMonitor