Re: [Nfsen-discuss] nfsen consult

[Peter H. <ha...@sw...>]

-----BEGIN PGP SIGNED MESSAGE-----

Hi Marcos,

- --On April 7, 2006 0:47:59 -0300 marcos <ma...@ar...> wrote:

| I write to you in order to ask about the instalation of the "demoplugins".
| I=C2=B4ve been trying to install them, but it always appears the following
| error:

| ----------------------------------------
| WARNING: Warning set by demo plugin!!
| ERROR: Error set by demo plugin!!
| Hello I'm the demo plugin with id
| ----------------------------------------
| I would really apreciate if you could give me any solution.

Well - that's what the demo plugin does: It shows you how to display
warnings and errors, and says 'hello' to you. And it looks like this works
perfectly well on your system. It's a - demo plugin.

    - Peter

|
| Here you have the structure of my directory:
| localhost# pwd
| /usr/local/nfsen
| localhost# ls
| bin             etc             libexec         plugins         profiles
|      var
|
| I also send you my configurations:
| cat nfsen.conf
|
| ##############################
| #
| # NfSen master config file
| #
| # $Id: nfsen-dist.conf 34 2005-07-18 12:53:55Z peter $
| #
| # Configuration of NfSen:
| # Set all the values to fit your NfSen setup and run the 'install.pl'
| # script from the nfsen distribution directory.
| #
| # You should not need to changes anything after NfSen is installed,
| # besides the NfSen plugins at the bottom.
| # When you make any changes in the plugins section, run 'nfsen reload'
| # to make sure nfsen-run gets notified about your plugins.
| #
| # Do not change any other settings after NfSen is installed.
| # otherwise you must rerun the install.pl script.
| #
| # The syntax must conform to Perl syntax.
| #
| ##############################
| #
| # NfSen default layout:
| # Any scripts, modules or profiles are installed by default under $BASEDIR.
| # However, you may change any of these settings to fit your requested layout.
|
| #
| # Required for default layout
| $BASEDIR =3D "/usr/local/nfsen";
| #
| # Where to install the NfSen binaries
| $BINDIR=3D"${BASEDIR}/bin";
|
| #
| # Where to install the NfSen Perl modules
| $LIBEXECDIR=3D"${BASEDIR}/libexec";
|
| #
| # Where to install the config files
| $CONFDIR=3D"${BASEDIR}/etc";
|
| #
| # NfSen html pages directory:
| # All php scripts will be installed here.
| # URL: Entry point for nfsen: http://<webserver>/nfsen/nfsen.php
| $HTMLDIR    =3D "/usr/local/www/nfsen/";
|
| #
| # Where to install the docs
| $DOCDIR=3D"${HTMLDIR}/doc";
|
| #
| # Var space for NfSen
| $VARDIR=3D"${BASEDIR}/var";
|
| #
| # The Profiles stat directory, where all profile information
| # RRD DBs and gif pictures of the profile are stored
| $PROFILESTATDIR=3D"${BASEDIR}/profiles";
|
| #
| # The Profiles directory, where all netflow data is stored
| $PROFILEDATADIR=3D"/usr/data";
|
| #
| # Where go all the backend plugins
| $BACKEND_PLUGINDIR=3D"${BASEDIR}/plugins";
|
| #
| # Where go all the frontend plugins
| $FRONTEND_PLUGINDIR=3D"${HTMLDIR}/plugins";
|
| #
| # nfdump tools path
| $PREFIX  =3D '/usr/local/bin';
|
| #
| # BASEDIR unrelated vars:
| #
| # Run nfcapd as this user
| # This may be a different or the same uid than your web server.
| # Note: This user must be in group $WWWGROUP, otherwise nfcapd
| #       is not able to write data files!
| $USER    =3D "www";
|
| # user and group of the web server process
| # All netflow processing will be done with this user
| $WWWUSER  =3D "www";
| $WWWGROUP =3D "www";
|
| # Receive buffer size for nfcapd - see man page nfcapd(1)
| $BUFFLEN =3D 200000;
|
| # Netflow sources
| # Define an ident string, port and colour per netflow source
| #    ident   identifies this netflow source. e.g. the router name,
| #            Upstream provider name etc.
| #    port    nfcapd listens on this port for netflow data for this source
| #    col     colour in nfsen graphs for this source
| #
| # Syntax:
| #         'ident' =3D> { 'port'    =3D> '<portnum>', 'col'    =3D>    '<colour>' }
| # Ident strings must be 1 to 19 characters long only, containing
| characters [a-zA-Z0-9_].
|
| %sources =3D (
|      'sl'    =3D> { 'port'    =3D> '23455', 'col' =3D> '#0000ff' },
|      'fl'    =3D> { 'port'    =3D> '23458', 'col' =3D> '#ff0000' },
| );
|
| #
| # Low water mark: When expiring files, delete files until
| # size =3D max size * low water mark
| # typically 0.9
| $low_water =3D 0.9;
|
| #
| # syslog facility for periodic jobs
| # nfsen uses level 'debug', 'info', 'warning' and 'err'
| # Note: nfsen is very chatty for level 'debug' and 'info'
| # For normal operation, you may set the logging level in syslog.conf
| # to warning or error unless you want to debug NfSen
| $syslog_facility =3D 'local3';
|
| #
| # plugins
| #    plugins are run for each timeslot, after the roll over of new data
| files.
| #    A plugin may run for any profile or for a specific profile only.
| #     Syntax: [ 'profile', 'module' ]
| #            profile:     ',' separated list of profiles, or "*' for any
| profile
| #            module:        Module name.
| #    The module follows the standard Perl module conventions, with at
| least two
| #    additional functions: Init() and run(). See demoplugin.pm for a
| simple template.
| #         Plugins are installed under
| #
| # $BACKEND_PLUGINDIR and $FRONTEND_PLUGINDIR
|
| # @plugins =3D (
|     # profile    # module
|  #       [ 'live',   'PortTracker'],
|
| # );
|
| @plugins =3D (
|         # profile # module
|         [ 'live', 'demoplugin' ],
| );
|
| #
| # Notification module
| # The Notification module is an optional module. If you want your plugins to
| # notify any result by email, use this module.
| # Make sure you have installed Mail::Internet before using the module
| #
| # Use this from address
| $MAIL_FROM   =3D 'yo...@fr...';
|
| # Use these recipients
| $RCPT_TO     =3D 'an...@ex..., an...@ex...';
|
| # Use this SMTP server
| $SMTP_SERVER =3D 'localhost';
|
| 1;
|
| cat demoplugin.pm
|
| # !/usr/bin/perl
| #
| #  Copyright (c) 2004, SWITCH - Teleinformatikdienste fuer Lehre und
| Forschung
| #  All rights reserved.
| #
| #  Redistribution and use in source and binary forms, with or without
| #  modification, are permitted provided that the following conditions are
| met:
| #
| #   * Redistributions of source code must retain the above copyright notice,
| #     this list of conditions and the following disclaimer.
| #   * Redistributions in binary form must reproduce the above copyright
| notice,
| #     this list of conditions and the following disclaimer in the
| documentation
| #     and/or other materials provided with the distribution.
| #   * Neither the name of SWITCH nor the names of its contributors may be
| #     used to endorse or promote products derived from this software without
| #     specific prior written permission.
| #
| #  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
| IS"
| #  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
| #  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
| #  ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
| #  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
| #  CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
| #  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
| #  INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
| #  CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
| #  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
| #  POSSIBILITY OF SUCH DAMAGE.
| #
| #  $Author: peter $
| #
| #  $Id: demoplugin.pm 27 2005-04-20 13:50:06Z peter $
| #
| #  $LastChangedRevision: 27 $
|
| # Demo plugin for NfSen
| #
| # This plugin demonstrates the use of plugins
| #        It searches for flows > 500000 packets and sends the output
| #        using the Notification module
|
| package demoplugin;
|
| use strict;
| use NfSen;
| use NfConf;
|
| #
| # The plugin may send any messages to syslog
| # Do not initialize syslog, as this is done by
| # the main process nfsen-run
| use Sys::Syslog;
| Sys::Syslog::setlogsock('unix');
|
| # Use the optional Notification module
| use Notification;
| my ( $nfdump, $PROFILEDIR );
|
| #
| # Define a nice filter:
| # We like to see flows containing more than 500000 packets
| my $nf_filter =3D 'packets > 500000';
|
| #
| # Periodic function
| #        input:        profilename
| #                        timeslot. Format yyyymmddHHMM e.g. 200503031200
| sub run {
|         my $profile  =3D shift;
|         my $timeslot =3D shift;
|
|         syslog('debug', "demoplugin run: Profile: $profile, Time:
| $timeslot");
|
|         my %profileinfo     =3D NfSen::ReadProfile($profile);
|         my $netflow_sources =3D
| "$PROFILEDIR/$profile/$profileinfo{'sourcelist'}";
|
|         #
|         # process all sources of this profile at once
|         my @output =3D `$nfdump -M $netflow_sources -r nfcapd.$timeslot
| '$nf_filter'`;
|
|         #
|         # Process the output and notify the duty team
|
|         # The 2nd but last line contains the stat info of the processed flow:
|         # e.g. Flows analysed: 61 matched: 61, Bytes read: 3168
|         if ( $output[-2] =3D~ /matched:\s+(\d+)/ ) {
|                 my $matched =3D $1;
|                 syslog('debug', "demoplugin run: $matched flows");
|                 if ( $matched ) {
|                         notify("Packets > 500000: Profile $profile,
| Timeslot $timeslot",
| \@output );
|                 }
|         } else {
|                 syslog('err', "Unparsable output line '$output[-2]'");
|         }
|
|         # .... more to come
|
| }
|
| sub Init {
|         syslog("info", "demoplugin: Init");
|
|         # Init some vars
|         $nfdump  =3D "$NfConf::PREFIX/nfdump";
|         $PROFILEDIR =3D "$NfConf::PROFILEDIR";
|
|         return 1;
| }
|
| sub BEGIN {
|         syslog("info", "demoplugin BEGIN");
|         # Standard BEGIN Perl function - See Perl documentation
|         # not used here
| }
|
| sub END {
|         syslog("info", "demoplugin END");
|         # Standard END Perl function - See Perl documentation
|         # not used here
| }
|
| 1;
| ------- End of Forwarded Message -------
| ------- End of Forwarded Message -------
|
|
|
| -------------------------------------------------------
| This SF.Net email is sponsored by xPML, a groundbreaking scripting language
| that extends applications into web and mobile media. Attend the live webcast
| and join the prime developer group breaking into this new coding territory!
| http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=110944&bid$1720&dat=121642
| _______________________________________________
| Nfsen-discuss mailing list
| Nfs...@li...
| https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
|



- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag,  Security Engineer,  Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA  FB 84 CA 94 AB FC 5D D7
SWITCH,  Limmatquai 138,  CH-8001 Zurich,  Switzerland
E-mail: pet...@sw... Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iQCVAwUBRDYIif5AbZRALNr/AQG4CwP+JoaehsbcYmmkUnHpIjj8wStk5WUS4Jsm
r2pSRmjLZUvg2bkJWGQ6WaTGf+fFI5SqLNeVuspi3ENO9Uh5+uqbJ77WcT4cMOId
+i/p315uze4rOaIxzm67XIa3m9ucGep+0ddpXol/AEroAnk9ma74laQMRINzsjCU
0zpSqVfLCAE=3D
=3D6UCH
-----END PGP SIGNATURE-----