My posts about issues concerning Linux OS and network administration

Configuring NSEL (Netflow Secure Event Logging) with Cisco ASA and Centos 6 server

These are the steps we need to do to make everything work together:

  1. Enable NetFlow feature on ASA box
  2. Install nfdump and nfsen software to collect the data from ASA
  3. Install and configure web server (eg. Apache) to make the graphs accessible via web browser

1. ASA setup

ASA 5000 series comes with NetFlow version 9 feature which is actually pretty easy to configure.

At first, we need to configure the NSEL collector (we can configure up to five collectors here but they must differ in IP addresses):

asa(config)# flow-export destination INT 192.168.0.2 9995

Then we tell ASA to send all event-types (flow-create, flow-teardown and flow-denied) to this collector:

asa(config)# policy-map global_policy
asa(config-pmap)# class class-default
asa(config-pmap-c)# flow-export event-type all destination 192.168.0.2

class-default map exists in the default configuration and it matches all traffic.
That’s all of the part of ASA configuration.

2. Linux server setup

Now we need to configure software which will be listening for incoming UDP data from ASA and turn them into graphs. NFDUMP is the part listening for NetFlow data and nfsen is the Web interface that fetches data from NFDUMP and visualize them by using RRD tools.

When I was about to configure these tools I wasn’t able to find any RPM packages of them.  I’m persuaded that one should not distribute and configure the software manually on production servers and thus I ended up with creating these packages for Centos 6 myself.

RPM packages of NFDUMP and nfsen tools can be downloaded here.

Once you download these packages you can simple install them as follows:

# yum localinstall nfsen-1.3.6p1-2.el6.i386.rpm i3cz_nfdump-1.6.9-1.el6.i386.rpm

This should also install all other dependencies such as httpd, php and rrd tools. At this point you only need to start nfsen service which also starts nfcapd tool (part of nfdump package which listens for incoming UDP NetFlow data and stores them in files) in background and thus begins to process the data from ASA.

# service nfsen start

3. Apache web server setup

Complete Apache server configuration is of course beyond this article but the key part of web server configuration is to tell Apache where nfsen’s PHP scripts are placed and under what vhost or alias would be served.

I’ve built the nfsen package which comes with simple nfsen.conf file placed in /etc/httpd/conf.d directory so once the Apache server is started (# service httpd start) you should be able to access nfsen web page under http://<server ip>/nfsen

 

Feel free to ask questions by adding comment in this article.

Posted in ASA 5000 series, Cisco devices configuration, network administration software, Network Topology


Leave a Reply

Your email address will not be published. Required fields are marked *

Bad Behavior has blocked 83 access attempts in the last 7 days.