IPFIXCol2 - NetFlow v5/v9 and IPFIX flow collector and balancer [Документация VAS Experts]

IPFIXCol2 - NetFlow v5/v9 and IPFIX flow collector and balancer

Introduction

IPFIXCol2 — is a flexible, high-performance NetFlow v5/v9 and IPFIX streaming data collector, extensible with plugins. The version of the application presented in the VAS Experts repository includes the changes needed to work optimally with IPFIX streams from the Stingray Service Gateway.

Installation

  1. Connect the VAS Experts repository
    rpm --import http://vasexperts.ru/centos/RPM-GPG-KEY-vasexperts.ru
    rpm -Uvh http://vasexperts.ru/centos/6/x86_64/vasexperts-repo-1-0.noarch.rpm
  2. Install ipfixcol2: dnf install -y ipfixcol2

Setup files

Configuration file:

/opt/vasexperts/etc/ipfixcol2/startup.xml

Executable file:

/opt/vasexperts/bin/ipfixcol2

Plugins:

/opt/vasexperts/lib64/ipfixcol2/libanonymization-intermediate.so
/opt/vasexperts/lib64/ipfixcol2/libfds-output.so
/opt/vasexperts/lib64/ipfixcol2/libjson-kafka-output.so
/opt/vasexperts/lib64/ipfixcol2/libudp-input.so
/opt/vasexperts/lib64/ipfixcol2/libdummy-input.so
/opt/vasexperts/lib64/ipfixcol2/libforwarder-output.so
/opt/vasexperts/lib64/ipfixcol2/libjson-output.so
/opt/vasexperts/lib64/ipfixcol2/libviewer-output.so
/opt/vasexperts/lib64/ipfixcol2/libdummy-output.so
/opt/vasexperts/lib64/ipfixcol2/libipfix-input.so
/opt/vasexperts/lib64/ipfixcol2/libtcp-input.so
/opt/vasexperts/lib64/ipfixcol2/libfds-input.so
/opt/vasexperts/lib64/ipfixcol2/libipfix-output.so
/opt/vasexperts/lib64/ipfixcol2/libtimecheck-output.so

Service file to run the application:

/usr/lib/systemd/system/ipfixcol2.service

Launch parameters

The program has the following launch parameters:

Usage: ipfixcol2 [-c FILE] [-p PATH] [-e DIR] [-P FILE] [-r SIZE] [-vVhLd]
 
-c FILE Configuration file path
(/etc/opt/vasexperts/ipfixcol2/startup.xml by default)
 
-p PATH Path to the plugins directory
(/opt/vasexperts/lib64/ipfixcol2/ by default)
 
-e DIR Path to the IPFIX item directory
(/etc/libfds/ by default)
 
-P FILE Path to PID file (without this option, no PID file is created)
 
-d Run as a daemon
 
-r SIZE Circular buffer size (8192 by default)
 
-h Output the brief info
 
-V Output the program version
 
-L Output the list of plugins and exit
 
-v Increase the logging level (by default only errors are logged)
(can be used up to 3 times to add warning/info/debug messages)

Application configuration for IPFIX stream replication

The configuration file /opt/vasexperts/etc/ipfixcol2/startup.xml shows an example of how to configure one IPFIX stream replication over TCP to two collectors in round robin mode. The configuration file is in xml format.

<ipfixcol2>
  <!-- Input plugins -->
  <inputPlugins>
    <input>
      <name>TCP collector</name>
      <plugin>tcp</plugin>
      <params>
        <!-- List on port 1600 -->
        <localPort>1600</localPort>
        <!-- Bind to all local adresses -->
        <localIPAddress>192.168.1.183</localIPAddress>
      </params>
    </input>
  </inputPlugins>
 
  <outputPlugins>
    <output>
    <name>Forwarder</name>
    <plugin>forwarder</plugin>
    <params>
        <mode>roundrobin</mode>
        <protocol>tcp</protocol>
        <premadeConnections>0</premadeConnections>
        <hosts>
            <host>
                <name>Subcollector 1</name>
                <address>192.168.1.183</address>
                <port>1500</port>
            </host>
            <host>
                <name>Subcollector 2</name>
                <address>192.168.1.183</address>
                <port>1510</port>
            </host>
        </hosts>
    </params>
    </output>
  </outputPlugins>
 
</ipfixcol2>

The interface and the port for receiving IPFIX stream are configured in the <inputPlugins> block. The TCP plugin (<plugin> tcp) is used to receive IPFIX stream via TCP. In the <params> block the plugin's parameters are set. The <locapPort> block of the tcp plugin contains the port number to receive the IPFIX stream. The <localIPAddress> block contains IP address of the interface to receive TCP stream.

IPFIX input stream replication is configured in the <outputPlugins> block. For replication forwarder plugin (<plugin> forwarder) is used. In the <params> block the plugin's parameters are set. In block <protocol> indicate the IP protocol (TCP or UDP). The <mode> block specifies the mode of the input IPFIX stream distribution to the specified collectors (may be roundrobin or all). Block <hosts> specifies collectors for replication of input IPFIX stream. Each collector is described by a separate <host> block. In this block the collector name (<name> block), IP address (<address> block) and port (<port> block) are specified.

Attention!
You must pay attention to the value of the <mode> block. To replicate the input stream to all collectors you must specify all.

Application launch

To launch the application, use the command:

systemctl start ipfixcol2

To launch the application automatically at server startup, run the following command:

systemctl enable ipfixcol2

Logging

The application outputs messages to the syslog. By default, only error messages are logged.