IPFIXCol2 - NetFlow v5/v9 and IPFIX flow collector and balancer
Introduction
IPFIXCol2 — is a flexible, high-performance NetFlow v5/v9 and IPFIX streaming data collector, extensible with plugins. The version of the application presented in the VAS Experts repository includes the changes needed to work optimally with IPFIX streams from the Stingray Service Gateway.
Installation
- Connect the VAS Experts repository
rpm --import http://vasexperts.ru/centos/RPM-GPG-KEY-vasexperts.ru rpm -Uvh http://vasexperts.ru/centos/6/x86_64/vasexperts-repo-1-0.noarch.rpm
- Install ipfixcol2: dnf install -y ipfixcol2
Setup files
Configuration file:
/opt/vasexperts/etc/ipfixcol2/startup.xml
Executable file:
/opt/vasexperts/bin/ipfixcol2
Plugins:
/opt/vasexperts/lib64/ipfixcol2/libanonymization-intermediate.so /opt/vasexperts/lib64/ipfixcol2/libfds-output.so /opt/vasexperts/lib64/ipfixcol2/libjson-kafka-output.so /opt/vasexperts/lib64/ipfixcol2/libudp-input.so /opt/vasexperts/lib64/ipfixcol2/libdummy-input.so /opt/vasexperts/lib64/ipfixcol2/libforwarder-output.so /opt/vasexperts/lib64/ipfixcol2/libjson-output.so /opt/vasexperts/lib64/ipfixcol2/libviewer-output.so /opt/vasexperts/lib64/ipfixcol2/libdummy-output.so /opt/vasexperts/lib64/ipfixcol2/libipfix-input.so /opt/vasexperts/lib64/ipfixcol2/libtcp-input.so /opt/vasexperts/lib64/ipfixcol2/libfds-input.so /opt/vasexperts/lib64/ipfixcol2/libipfix-output.so /opt/vasexperts/lib64/ipfixcol2/libtimecheck-output.so
Service file to run the application:
/usr/lib/systemd/system/ipfixcol2.service
Launch parameters
The program has the following launch parameters:
Usage: ipfixcol2 [-c FILE] [-p PATH] [-e DIR] [-P FILE] [-r SIZE] [-vVhLd] -c FILE Configuration file path (/etc/opt/vasexperts/ipfixcol2/startup.xml by default) -p PATH Path to the plugins directory (/opt/vasexperts/lib64/ipfixcol2/ by default) -e DIR Path to the IPFIX item directory (/etc/libfds/ by default) -P FILE Path to PID file (without this option, no PID file is created) -d Run as a daemon -r SIZE Circular buffer size (8192 by default) -h Output the brief info -V Output the program version -L Output the list of plugins and exit -v Increase the logging level (by default only errors are logged) (can be used up to 3 times to add warning/info/debug messages)
Application configuration for IPFIX stream replication
The configuration file /opt/vasexperts/etc/ipfixcol2/startup.xml
shows an example of how to configure one IPFIX stream replication over TCP to two collectors in round robin mode. The configuration file is in xml format.
<ipfixcol2> <!-- Input plugins --> <inputPlugins> <input> <name>TCP collector</name> <plugin>tcp</plugin> <params> <!-- List on port 1600 --> <localPort>1600</localPort> <!-- Bind to all local adresses --> <localIPAddress>192.168.1.183</localIPAddress> </params> </input> </inputPlugins> <outputPlugins> <output> <name>Forwarder</name> <plugin>forwarder</plugin> <params> <mode>roundrobin</mode> <protocol>tcp</protocol> <premadeConnections>0</premadeConnections> <hosts> <host> <name>Subcollector 1</name> <address>192.168.1.183</address> <port>1500</port> </host> <host> <name>Subcollector 2</name> <address>192.168.1.183</address> <port>1510</port> </host> </hosts> </params> </output> </outputPlugins> </ipfixcol2>
The interface and the port for receiving IPFIX stream are configured in the <inputPlugins>
block. The TCP
plugin (<plugin> tcp
) is used to receive IPFIX stream via TCP. In the <params>
block the plugin's parameters are set. The <locapPort>
block of the tcp
plugin contains the port number to receive the IPFIX stream. The <localIPAddress>
block contains IP address of the interface to receive TCP stream.
IPFIX input stream replication is configured in the <outputPlugins>
block. For replication forwarder
plugin (<plugin> forwarder
) is used. In the <params>
block the plugin's parameters are set. In block <protocol>
indicate the IP protocol (TCP
or UDP
). The <mode>
block specifies the mode of the input IPFIX stream distribution to the specified collectors (may be roundrobin
or all
). Block <hosts>
specifies collectors for replication of input IPFIX stream. Each collector is described by a separate <host>
block. In this block the collector name (<name>
block), IP address (<address>
block) and port (<port>
block) are specified.
You must pay attention to the value of the
<mode>
block. To replicate the input stream to all collectors you must specify all
.
Application launch
To launch the application, use the command:
systemctl start ipfixcol2
To launch the application automatically at server startup, run the following command:
systemctl enable ipfixcol2
Logging
The application outputs messages to the syslog
. By default, only error messages are logged.