Hello,
New install of Nagios NNA via OVA here. I have checked timezones via the GUI and shell and everything is set correctly. I also verified my Netflow senders timezone is correct via it's GUI. I am only able to run the queries using the default time of 24 hours or more. The hours 2, 4, 6, and 12 do not work and immediatly display no data. If I select a custom time and select 13 hours, the query does run. Is there something wrong on the NNA side or the sender side that the Netflow data is roughly 13 hours off? I am thinking the Netflow senders "system" timezone is correct but not necessarily the Netflow data they are sending but I don't know how to verify this. Any help is appreciated.
For reference the Netflow senders are Cisco 5520 wireless controllers.
Thanks.
Can't run queries from 2,4,6,12 hours ago....only 13 hours and higher
Re: Can't run queries from 2,4,6,12 hours ago....only 13 hours and higher
Update:
I just ran nfudmp on the nfcapd.current.###### file with -A srcip,dstip swtich and Date flow start column is roughly 12 hours and 20 minutes behind. Current time is 11:47AM EST and the Date clow start time is 2024-07-15 23:##:##.### or 11PM yesterday. I know these sources don't have that long running flows.
Again, any help much appreciated.
Thanks.
I just ran nfudmp on the nfcapd.current.###### file with -A srcip,dstip swtich and Date flow start column is roughly 12 hours and 20 minutes behind. Current time is 11:47AM EST and the Date clow start time is 2024-07-15 23:##:##.### or 11PM yesterday. I know these sources don't have that long running flows.
Again, any help much appreciated.
Thanks.
Re: Can't run queries from 2,4,6,12 hours ago....only 13 hours and higher
Hey @djoman42djoman42 wrote: ↑Tue Jul 16, 2024 9:48 am Hello,
New install of Nagios NNA via OVA here. I have checked timezones via the GUI and shell and everything is set correctly. I also verified my Netflow senders timezone is correct via it's GUI. I am only able to run the queries using the default time of 24 hours or more. The hours 2, 4, 6, and 12 do not work and immediatly display no data. If I select a custom time and select 13 hours, the query does run. Is there something wrong on the NNA side or the sender side that the Netflow data is roughly 13 hours off? I am thinking the Netflow senders "system" timezone is correct but not necessarily the Netflow data they are sending but I don't know how to verify this. Any help is appreciated.
For reference the Netflow senders are Cisco 5520 wireless controllers.
Thanks.
I am looking into your issue however I am not seeing the same issue. The original thought I had is that the timezones are off however it sounds like you've already checked this. You can verify if its the senders system by checking the netflow data timestamps by viewing the raw netflow packets with something like wireshark. Just to verify that you are getting flow data can you check your /usr/local/nagiosna/var/{source name}/flows/ and run ll to see the file sizes. If they are around 276 then they will essentially be empty files.
Re: Can't run queries from 2,4,6,12 hours ago....only 13 hours and higher
Hello sgardil,
The file size when running ls -l -h show anywhere from 7.0M to 11M.
Hope this is what you were asking.
Thanks.
The file size when running ls -l -h show anywhere from 7.0M to 11M.
Hope this is what you were asking.
Thanks.
Re: Can't run queries from 2,4,6,12 hours ago....only 13 hours and higher
Output of:
nfdump -r nfcapd.current.130094 -A srcip,srcport,dstip,dstport:
2024-07-15 20:43:31.497 14393.000 75.2.39.155 443 10.60.88.57 38964 2 162 0 81 1
2024-07-16 00:43:49.632 1.000 10.60.45.86 60541 31.13.80.175 5222 14 2843 22744 203 1
2024-07-16 00:41:45.579 0.000 10.60.77.114 63897 216.239.36.223 443 17 2391 0 140 1
2024-07-16 00:42:37.506 0.000 76.223.3.47 443 10.60.30.135 53374 2 100 0 50 1
2024-07-16 00:43:22.619 1.000 10.60.133.102 52611 10.60.0.41 53 2 124 992 62 1
2024-07-16 00:42:38.560 1.000 44.224.133.48 443 10.60.62.244 62896 14 4546 36368 324 1
2024-07-16 00:42:14.553 0.000 10.60.0.41 53 10.60.111.93 56717 1 329 0 329 1
2024-07-16 00:43:12.637 0.000 10.60.101.69 11671 10.60.0.11 53 1 69 0 69 1
2024-07-16 00:42:01.652 0.000 10.60.0.11 53 10.60.123.131 52304 1 142 0 142 1
2024-07-16 00:43:23.538 2.000 172.217.167.227 443 10.60.110.17 47371 7 5175 20700 739 1
2024-07-16 00:43:36.534 1.000 10.60.0.11 53 10.60.122.158 60149 1 157 1256 157 1
2024-07-16 00:42:18.591 1.000 34.102.162.219 443 10.60.112.71 44700 9 4727 37816 525 1
2024-07-16 00:43:40.527 0.000 10.60.0.11 53 10.60.137.119 57055 1 83 0 83 1
2024-07-16 00:43:32.536 1.000 10.60.132.97 56183 23.220.246.46 443 2 104 832 52 1
It is after 1 PM EST now
Ouput of the ls -l -h command in the /usr/local/nagiosna/var/mydevicesname/flows:
-rw-r--r-- 1 nna nnacmd 11M Jul 16 11:50 nfcapd.202407161145
-rw-r--r-- 1 nna nnacmd 11M Jul 16 11:55 nfcapd.202407161150
-rw-r--r-- 1 nna nnacmd 11M Jul 16 12:00 nfcapd.202407161155
-rw-r--r-- 1 nna nnacmd 11M Jul 16 12:05 nfcapd.202407161200
-rw-r--r-- 1 nna nnacmd 11M Jul 16 12:10 nfcapd.202407161205
-rw-r--r-- 1 nna nnacmd 11M Jul 16 12:15 nfcapd.202407161210
-rw-r--r-- 1 nna nnacmd 11M Jul 16 12:20 nfcapd.202407161215
-rw-r--r-- 1 nna nnacmd 11M Jul 16 12:25 nfcapd.202407161220
-rw-r--r-- 1 nna nnacmd 11M Jul 16 12:30 nfcapd.202407161225
-rw-r--r-- 1 nna nnacmd 11M Jul 16 12:35 nfcapd.202407161230
-rw-r--r-- 1 nna nnacmd 11M Jul 16 12:40 nfcapd.202407161235
-rw-r--r-- 1 nna nnacmd 11M Jul 16 12:45 nfcapd.202407161240
-rw-r--r-- 1 nna nnacmd 11M Jul 16 12:50 nfcapd.202407161245
-rw-r--r-- 1 nna nnacmd 11M Jul 16 12:55 nfcapd.202407161250
-rw-r--r-- 1 nna nnacmd 11M Jul 16 13:00 nfcapd.202407161255
-rw-r--r-- 1 nna nnacmd 11M Jul 16 13:05 nfcapd.202407161300
-rw-r--r-- 1 nna nnacmd 5.1M Jul 16 13:07 nfcapd.current.130094
There are a lot more files in this directory.
I am thinking its the sources Netflow data timestamps more and more but this community probably knows better. It will take me a few to get a packet capture of the Wireless controllers. I may open a ticket with Cisco.
Thanks.
nfdump -r nfcapd.current.130094 -A srcip,srcport,dstip,dstport:
2024-07-15 20:43:31.497 14393.000 75.2.39.155 443 10.60.88.57 38964 2 162 0 81 1
2024-07-16 00:43:49.632 1.000 10.60.45.86 60541 31.13.80.175 5222 14 2843 22744 203 1
2024-07-16 00:41:45.579 0.000 10.60.77.114 63897 216.239.36.223 443 17 2391 0 140 1
2024-07-16 00:42:37.506 0.000 76.223.3.47 443 10.60.30.135 53374 2 100 0 50 1
2024-07-16 00:43:22.619 1.000 10.60.133.102 52611 10.60.0.41 53 2 124 992 62 1
2024-07-16 00:42:38.560 1.000 44.224.133.48 443 10.60.62.244 62896 14 4546 36368 324 1
2024-07-16 00:42:14.553 0.000 10.60.0.41 53 10.60.111.93 56717 1 329 0 329 1
2024-07-16 00:43:12.637 0.000 10.60.101.69 11671 10.60.0.11 53 1 69 0 69 1
2024-07-16 00:42:01.652 0.000 10.60.0.11 53 10.60.123.131 52304 1 142 0 142 1
2024-07-16 00:43:23.538 2.000 172.217.167.227 443 10.60.110.17 47371 7 5175 20700 739 1
2024-07-16 00:43:36.534 1.000 10.60.0.11 53 10.60.122.158 60149 1 157 1256 157 1
2024-07-16 00:42:18.591 1.000 34.102.162.219 443 10.60.112.71 44700 9 4727 37816 525 1
2024-07-16 00:43:40.527 0.000 10.60.0.11 53 10.60.137.119 57055 1 83 0 83 1
2024-07-16 00:43:32.536 1.000 10.60.132.97 56183 23.220.246.46 443 2 104 832 52 1
It is after 1 PM EST now
Ouput of the ls -l -h command in the /usr/local/nagiosna/var/mydevicesname/flows:
-rw-r--r-- 1 nna nnacmd 11M Jul 16 11:50 nfcapd.202407161145
-rw-r--r-- 1 nna nnacmd 11M Jul 16 11:55 nfcapd.202407161150
-rw-r--r-- 1 nna nnacmd 11M Jul 16 12:00 nfcapd.202407161155
-rw-r--r-- 1 nna nnacmd 11M Jul 16 12:05 nfcapd.202407161200
-rw-r--r-- 1 nna nnacmd 11M Jul 16 12:10 nfcapd.202407161205
-rw-r--r-- 1 nna nnacmd 11M Jul 16 12:15 nfcapd.202407161210
-rw-r--r-- 1 nna nnacmd 11M Jul 16 12:20 nfcapd.202407161215
-rw-r--r-- 1 nna nnacmd 11M Jul 16 12:25 nfcapd.202407161220
-rw-r--r-- 1 nna nnacmd 11M Jul 16 12:30 nfcapd.202407161225
-rw-r--r-- 1 nna nnacmd 11M Jul 16 12:35 nfcapd.202407161230
-rw-r--r-- 1 nna nnacmd 11M Jul 16 12:40 nfcapd.202407161235
-rw-r--r-- 1 nna nnacmd 11M Jul 16 12:45 nfcapd.202407161240
-rw-r--r-- 1 nna nnacmd 11M Jul 16 12:50 nfcapd.202407161245
-rw-r--r-- 1 nna nnacmd 11M Jul 16 12:55 nfcapd.202407161250
-rw-r--r-- 1 nna nnacmd 11M Jul 16 13:00 nfcapd.202407161255
-rw-r--r-- 1 nna nnacmd 11M Jul 16 13:05 nfcapd.202407161300
-rw-r--r-- 1 nna nnacmd 5.1M Jul 16 13:07 nfcapd.current.130094
There are a lot more files in this directory.
I am thinking its the sources Netflow data timestamps more and more but this community probably knows better. It will take me a few to get a packet capture of the Wireless controllers. I may open a ticket with Cisco.
Thanks.
Re: Can't run queries from 2,4,6,12 hours ago....only 13 hours and higher
NOTE...
The bandwidth graph on the source page populates properly when selecting the default Last 2 Hours timeframe. The Top 5 Talkers below it does not populate at all when selecting the Last 2 Hours timeframe. Including screenshot.
But when I select the Last 24 Hours, the bandwidth and Top 5 Talkers populates.
TIA
The bandwidth graph on the source page populates properly when selecting the default Last 2 Hours timeframe. The Top 5 Talkers below it does not populate at all when selecting the Last 2 Hours timeframe. Including screenshot.
But when I select the Last 24 Hours, the bandwidth and Top 5 Talkers populates.
TIA
You do not have the required permissions to view the files attached to this post.
Re: Can't run queries from 2,4,6,12 hours ago....only 13 hours and higher
Here is a similar issue for the bandwidth graph showing data but top 5 talkers is not. Its worth a read to see if anything is missing in the conf files and to see if things are looking correctly but it ended up being a timestamp issue for them as well. They were able to add some timestamp commands on their cisco equipment to fix their timestamp issue. Might be worth checking out. If its not that can you check you php logs to see if there are any errors. It'll be in /var/log/{httpd, php-fpm, apache}djoman42 wrote: ↑Tue Jul 16, 2024 12:17 pm NOTE...
The bandwidth graph on the source page populates properly when selecting the default Last 2 Hours timeframe. The Top 5 Talkers below it does not populate at all when selecting the Last 2 Hours timeframe. Including screenshot.
But when I select the Last 24 Hours, the bandwidth and Top 5 Talkers populates.
TIA
Re: Can't run queries from 2,4,6,12 hours ago....only 13 hours and higher
had same problem latelydjoman42 wrote: ↑Tue Jul 16, 2024 9:48 am Hello,
New install of Nagios NNA via OVA here. I have checked timezones via the GUI and shell and everything is set correctly. I also verified my Netflow senders timezone is correct via it's GUI. I am only able to run the queries using the default time of 24 hours or more. The hours 2, 4, 6, and 12 do not work and immediatly display no data. If I select a custom time and select 13 hours, the query does run. Is there something wrong on the NNA side or the sender side that the Netflow data is roughly 13 hours off? I am thinking the Netflow senders "system" timezone is correct but not necessarily the Netflow data they are sending but I don't know how to verify this. Any help is appreciated.
For reference the Netflow senders are Cisco 5520 wireless controllers.
Thanks.
Re: Can't run queries from 2,4,6,12 hours ago....only 13 hours and higher
Good to know. Are you also on a new install of the OVA and this happens? Also did you have the chance to run through the tests mentioned in the other forum post mentioned above and if so do you still have the issues after doing so?tokyo wrote: ↑Wed Aug 07, 2024 11:36 amhad same problem latelydjoman42 wrote: ↑Tue Jul 16, 2024 9:48 am Hello,
New install of Nagios NNA via OVA here. I have checked timezones via the GUI and shell and everything is set correctly. I also verified my Netflow senders timezone is correct via it's GUI. I am only able to run the queries using the default time of 24 hours or more. The hours 2, 4, 6, and 12 do not work and immediatly display no data. If I select a custom time and select 13 hours, the query does run. Is there something wrong on the NNA side or the sender side that the Netflow data is roughly 13 hours off? I am thinking the Netflow senders "system" timezone is correct but not necessarily the Netflow data they are sending but I don't know how to verify this. Any help is appreciated.
For reference the Netflow senders are Cisco 5520 wireless controllers.
Thanks.