Initial Setup Issues

[rkane]

Having some issues with the initial setup, I've applied the documented steps to a couple of our 3850 switches and created corresponding sources in NagiosNA. For a few days now there's been no data that's come in. Some troubleshooting steps I've taken:

- Verified the configuration steps on two different 3850s
- Added lines for both uplinks (interfaces) to be monitored
- Pinged the NagiosNA box from the switch
- Pinged the switch from the NagiosNA box

Can someone please walk me step by step through getting this up and running? I'm sure I've missed something simple.

[lmiltchev]

You can check a few things to start with:

1. Make sure that don't have any timezone issues, e.g. mismatch between the date/time on your device and your workstation. Run the following commands on the NNA box, and examine the output:

Code: Select all

date
file /etc/localtime
grep "date.timezone" /etc/php.ini

2. Check to see if nfcapd is running for your source:

Code: Select all

ps -ef | grep "\-p xxxx"

where you substitute the "xxxx" with the actual port set up on your source

3. Is the port open? Check your firewall rules.

Code: Select all

firewall-cmd --zone=public --list-ports

[rkane]

1. Date looked good, file /etc/localtime returned 'no such file or directory', timezone looked good
2. Not sure what to verify in the output but I can verify that the two I have configured dump more output than one that I do not, attached a sample of the output
3. Ports are open for UDP

You can check a few things to start with:

1. Make sure that don't have any timezone issues, e.g. mismatch between the date/time on your device and your workstation. Run the following commands on the NNA box, and examine the output:

Code: Select all

date
file /etc/localtime
grep "date.timezone" /etc/php.ini

2. Check to see if nfcapd is running for your source:

Code: Select all

ps -ef | grep "\-p xxxx"

where you substitute the "xxxx" with the actual port set up on your source

3. Is the port open? Check your firewall rules.

Code: Select all

firewall-cmd --zone=public --list-ports

[lmiltchev]

1. Date looked good, file /etc/localtime returned 'no such file or directory', timezone looked good

Create a symlink by running something like this:

Code: Select all

ln -s /usr/share/zoneinfo/America/Los_Angeles /etc/localtime

where you substitute "Los_Angeles" with the correct timezone (that matches the timezone, defined in the /etc/php.ini file).

Note: You can view the available timezones by listing the directory, for example:

Code: Select all

cd /usr/share/zoneinfo/America
ls

Run the following command on the NNA box, wait until you get some output, then stop the command by hitting "ctrl+c", upload the 9000.cap file, that was created on the forum.

Code: Select all

tcpdump -i any -s 65535 -w 9000.cap port 9000

Also, show us the Cisco configs.

[rkane]

Returns

Code: Select all

-bash: tcpdump: command not found

Any particular commands you'd like me to run on the Cisco box?
I input the commands in this doc
https://assets.nagios.com/downloads/nag ... alyzer.pdf

Run the following command on the NNA box, wait until you get some output, then stop the command by hitting "ctrl+c", upload the 9000.cap file, that was created on the forum.

Code: Select all

tcpdump -i any -s 65535 -w 9000.cap port 9000

Also, show us the Cisco configs.

[tgriep]

The tcpdump command needs to be installed and to do that, run the following as root.

Code: Select all

yum install tcpdump -y

Then run the tcpdump command and upload the 9000.cap file to the post.

What we would need to see from the Cisco device is the configuration so display the configuration and upload it to the ticket.

Thanks

[rkane]

Appreciate it, the tcpdump had nothing for 15 minutes. 9000.cap attached.
Switch config attached, let me know what else you'd like to see?

The tcpdump command needs to be installed and to do that, run the following as root.

Code: Select all

yum install tcpdump -y

Then run the tcpdump command and upload the 9000.cap file to the post.

What we would need to see from the Cisco device is the configuration so display the configuration and upload it to the ticket.

Thanks

[tgriep]

Thanks for the files.
The Cisco config looks like it is configured OK but the bad news is that the cap file did not have any entries in it and it seemed to be corrupted.
So, can you run the tcpdump again and let is run for at lease 10 minutes and then upload it again?

And, run these commands as root and post the output.

Code: Select all

iptables -L
ps -ef --cols=300

Thanks

[rkane]

Ran the tcpdump for 15min the first time, no data. Running another 15min now. Attachments with the output from both the other commands.

Code: Select all

tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
^C0 packets captured
0 packets received by filter
0 packets dropped by kernel

So, can you run the tcpdump again and let is run for at lease 10 minutes and then upload it again?

And, run these commands as root and post the output.

Code: Select all

iptables -L
ps -ef --cols=300

Thanks

[tgriep]

Same problem with the tcpdump command again, it did not capture anything.
So either the Cisco device is not sending data or the file is getting corrupted somehow.

If you want to try again, use this command to capture.

Code: Select all

tcpdump -i any -s 0 -w 9000.cap port 9000

If the capture file is only 24 bytes, don't bother uploading it, it is empty.

Can you go to this folder, and get the last 4 or 5 nfcapd files and upload them here?

Code: Select all

/usr/local/nagiosna/var/uts12a/flows

If the system is capturing data, we can see what it is.