Basic start with network Analyzer

[kalyanpabolu]

Hello Team,

We have recently purchased Network Analyzer license and we do not have anyone holding previous experience of this tool. I am working on Nagios XI. We have to start implementing network devices monitoring using Network Analyzer.

We are already done with Network Analyzer setup. We have used a Linux (Centos 7) box for the same.

I was going through the Administrative Guide for NNA. The very first topic I could find their was "Configuring A Linux Server To Send Netflow Data To Nagios Network Analyzer".

What I could understand is, we need a new Linux box which will collect netflow data and it will send the same data to Network Analyser.

So, for the fprobe configuration, a new Linux box is required? How this box will send data to Network Analyzer?
Also, could you please guide me through the directory structure of NNA?

[ssax]

You don't need a new linux box for this, you install fprobe (or another netflow sending utility) on the linux servers that you want to send netflow data from in order for that systems flows to show up. There is no built-in netflow sender in the base OS. You would still see communication from those hosts if you had netflow/sflow sending from the routers/switches that it crosses. fprobe just gives you the added ability to send the flows directly from the linux host (say if you didn't have a netflow/sflow capable switch/router device to pick those up that it crossed).

Code: Select all

/var/www/html/nagiosna # Contains the web application files
/usr/local/nagiosna/bin # Contains NNA binaries
/usr/local/nagiosna/etc # Not currently used that I can tell
/usr/local/nagiosna/scripts # Contains scripts used by the application
/usr/local/nagiosna/tmp # Not currently used that I can tell
/usr/local/nagiosna/var # Application log files
/usr/local/nagiosna/var/SOURCENAME # Contains the nfcapd PID file and the bandwidth.rrd file to show the bandwidth for the source
/usr/local/nagiosna/var/SOURCENAME/flows # Contains the flows NFCAPD creates for the source

See here for the architecture overview:

https://support.nagios.com/kb/article/n ... ew-56.html

[kalyanpabolu]

Hello,

Thanks for you reply!!
I have configured one one router and I can see its showing some data in NNA. I am attaching screenshot for your reference.

Now, if I want to see the traffic on individual interfaces say, Fastethernet0, Fastethernet1, etc on the same router, where I can that data?

Also, I was checking for Nagios self paced training. I could find it only for Nagios XI and Nagios Core.

Could you please guide me where I can find complete video tutorial for Network Analyzer that covers full functionality of Network Analyzer?

[ssax]

Now, if I want to see the traffic on individual interfaces say, Fastethernet0, Fastethernet1, etc on the same router, where I can that data?

That functionality doesn't currently exist as a feature. I have previously submitted a request to have development add that but it doesn't currently exist as not all flows that are sent contain the interface names.

Here's the docs we have (we don't really have any guided self-based training):

See the Help menu item in the NNA web interface and here as well:

https://support.nagios.com/kb/category.php?id=4
https://library.nagios.com/library/prod ... mentation/

You can also go here and once the page loads click on Nagios Network Analyzer:

https://www.nagios.com/videos/

[kalyanpabolu]

Hello,

Could you please request Development team again to add this feature? It would be really helpful.

Also, if we want to check conversation from a particular source to all destinations, how we can check that?

One more query here, while adding a source, it is asking for unique port every time. What is the reason behind that?

[ssax]

Submitted again with a link back to this thread:

FR: NNA - Add source/dest interface names if the flows have them with the ability to aggregate by interface name to see all traffic on specific interfaces on the same source

Also, if we want to check conversation from a particular source to all destinations, how we can check that?

You can click on Sources > Click on the Source > Queries and then use:

Code: Select all

Aggregate By: srcip,dstip

If you wanted to use a source IP you could add this in the query box:

Code: Select all

ip 192.168.1.236

Or even:

Code: Select all

src ip 192.168.1.236

See here:

https://assets.nagios.com/downloads/nag ... alyzer.pdf

One more query here, while adding a source, it is asking for unique port every time. What is the reason behind that?

It is for sorting, if you add a source with a unique port you can view by source. Then you can create Source Groups to aggregate them.

Technically, if the port is already defined you could just point your other devices at that port but then everything would show up under that single source for it. The recommendation is to create a port per source so that you can view by source.

[kalyanpabolu]

Hello,

Thank for you reply!!

We will check it.
One more thing, can we create sources in bulk in NNA?
I mean the way we have bulk configuration option in XI, do we have the same here?

[ssax]

There isn't really bulk import tool like in XI.

You could create the sources via the API:
- Change YOURNNASERVER, SOURCENAME, PORT, X.X.X.X, and YOURTOKEN

Code: Select all

curl -g -k -L -XPOST 'http://YOURNNASERVER/nagiosna/index.php/api/sources/create?q[name]=SOURCENAME&q[port]=PORT&q[addresses]=X.X.X.X&q[flowtype]=netflow&q[lifetime]=1w&token=YOURTOKEN'

Then modify the command and do it for the next, etc.

Once you're done adding them all you can run this after to start them all up:

Code: Select all

/etc/init.d/nagiosna restart

The description of the values:

name: Assigns the name of the Source. This option must be unique and is required.

flowtype: Must be either 'sflow' or 'netflow' and denotes the flow type expected from the source. This is a required argument.

port: The numerical port number that the source will be sending netflow data to us on. This option must be unique and is required.

addresses: The IP address of the source

lifetime: The max time flows will be kept before throwing away. Must match this regex: [0-9]+w|d|H. Defaults to '1d'

And here as well:

https://support.nagios.com/kb/article/n ... s-800.html