Exporting Netflow from Linux with softflowd

NetFlow is an industry standard network protocol for monitoring traffic flows across a network interface. It is used most commonly by devices like firewalls, routers, and switches, but some software packages make it possible to export Netflow data from a server operating system - in this case Linux (with softflowd) - to a Netflow collector (LogicMonitor) for traffic analysis.

Ubuntu

Documentation here: http://manpages.ubuntu.com/manpages/xenial/man8/softflowd.8.html

The following assumes you have an Ubuntu device in your portal which you can access with sudoer permissions. It also assumes Netflow has been enabled for the device and the collector in question.

1. Install softflowd:

   sudo apt-get install softflowd

2.  

3. Open  /etc/default/softflowd for editing:

4. sudo nano /etc/default/softflowd

5.  

6. Set the value for INTERFACE and add the destination ip:port (<collectorIP>:2055) under OPTIONS. Other options are available, check the link above for full documentation.

   # # configuration for softflowd # # note: softflowd will not start without an interface configured. # The interface softflowd listens on. You may also use "any" to listen # on all interfaces. INTERFACE="eth0" # Further options for softflowd, see "man softflowd" for details. # You should at least define a host and a port where the accounting # datagrams should be sent to, e.g. # OPTIONS="-n 127.0.0.1:9995" OPTIONS="-n 192.168.170.130:2055"

7.  
8. Save your changes by pressing Ctrl-O, then exit nano by pressing Ctrl-X.

9. Restart softflowd.

   sudo service softflowd restart

10.  

11. Add a rule to the firewall to allow traffic on 2055.

    sudo ufw allow 2055

CentOs

This is a bit more work since you can't just install a package; you'll need to download the source and compile.

Most of the information here comes from https://www.scribd.com/doc/199440303/Cacti-Netflow-Collector-Flowview-and-Softflowd

More good info: https://thwack.solarwinds.com/thread/59620

1. Check to see if you have the compiler installed.

   which gcc

    

2. If you don't get /usr/bin/gcc as the response, you'll need to install it.

   sudo yum install gcc

3.  

4. Install libpcap-devel (you'll need this to compile softflowd).

   sudo yum install libpcap-devel

5.  

6. Download the softflowd source.

   wget https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/softflowd/softflowd-0.9.9.tar.gz

7.  

8. Make sure you're in the directory where you saved the download, then untar the dowloaded source files.

   tar -xzvf softflowd-0.9.9.tar.gz

9.  

10. Switch to the softflowd directory, then run the commands to compile and install it.

    cd softflowd-0.9.9 ./configure make make install

11.  

12. Now we want to have softflowd start when the system boots. We'll need to add a line to the end of /etc/rc.d/rc.local. Use your device's interface after -i and your collector's IP address after -n.
     

    sudo nano /etc/rc.d/rc.local <add the following line to the end of the file> /usr/local/sbin/softflowd -i eth0 -n 10.13.37.111:2055

     

13. Save your changes with Ctrl-O, exit nano with Ctrl-X.
    Make sure /etc/rc.d/rc.local is executable.

14. sudo chmod +x /etc/rc.d/rc.local

15.  

16. Open port 2055 in the firewall so the collector can receive the data.

    sudo firewalld-cmd --zone=public --add-port=2055/tcp --permanent

17.  
18. Reboot the machine for all changes to take effect.

*Original guide courtesy of @Kurt Huffman at LogicMonitor