########################################################################### # cflowd.conf - cflowd configuration file # $Name: cflowd-2-1-b1 $ ########################################################################### # THIS IS JUST AN EXAMPLE!!! IT MUST BE MODIFIED TO WORK WITH # YOUR CFLOWD INSTALLATION!!! ########################################################################### #--------------------------------------------------------------------------- # OPTIONS stanza # -------------- # The OPTIONS stanza contains global cflowd options. It must be the # first stanza in the configuration. # # Option fields: # # LOGFACILITY (Optional, default local6) # The syslog facility to use when logging. # # TCPCOLLECTPORT (Optional, default 2056) # The port on which to listen for connections from cfdcollect. # # PKTBUFSIZE (Optional, default 1048576) # The length (in bytes) to use for packet buffering in # shared memory. # # TABLESOCKFILE (Required) # The full path to be used for the named socket on which cflowd # will listen for connections from local clients (cfdases, et. al.) # # FLOWDIR (Required if storing raw flows, no default) # The directory in which to store memory-mapped raw flow files. # These files tend to have high I/O requirements. # # FLOWFILELEN (Optional, default 1048576) # The maximum length of an individual flow file. You should # be careful with this value; the file is memory mapped and # hence should not be too large (1-2M is reasonable in most # cases). # # NUMFLOWFILES (Optional, default 10) # The number of raw flow files to retain per router. # # MINLOGMISSED (Optional, default 300) # The minimum number of perceived dropped flows to cause a # syslog() message from cflowd. # #--------------------------------------------------------------------------- OPTIONS { # syslog to local6 facility. LOGFACILITY: local6 # Listen for connections from cfdcollect on port 2056. TCPCOLLECTPORT: 2056 # Use a 2 megabyte packet buffer in shared memory. PKTBUFSIZE: 2097152 # Use /usr/local/arts/etc/cflowdtable.socket as named stream socket # for connections from local clients (cfdases et. al.) TABLESOCKFILE: /usr/local/arts/etc/cflowdtable.socket # Keep raw flow files in /usr/local/arts/data/cflowd/flows directory. FLOWDIR: /usr/local/arts/data/cflowd/flows # Each raw flow file should be 1000000 bytes in length. FLOWFILELEN: 1000000 # Keep 10 raw flow files per router. NUMFLOWFILES: 10 # Log total missed flows from a router if it exceeds 1000 between # connections from cfdcollect. MINLOGMISSED: 1000 } #--------------------------------------------------------------------------- # COLLECTOR stanza # ---------------- # The collector stanza is used to control access from collector # clients (e.g. cfdcollect). Typically you have only one instance # of cfdcollect and hence only one COLLECTOR, but you can have as # many as you want (for example, if you have a backup host to run # cfdcollect when the primary cfdcollect host is down). #--------------------------------------------------------------------------- COLLECTOR { HOST: 10.5.4.226 # IP address of central collector ADDRESSES: { 10.5.4.226 } AUTH: none } COLLECTOR { HOST: 127.0.0.1 # IP address of central collector ADDRESSES: { 127.0.0.1 } AUTH: none } #--------------------------------------------------------------------------- # CISCOEXPORTER stanza # -------------------- # The CISCOEXPORTER stanza contains information about a Cisco that # is expected to export flow data to cflowd. # # CISCOEXPORTER fields # -------------------- # HOST - The IP address of the exporting Cisco. This is essentially # used as an indexing mechanism, to differentiate one Cisco # from another. # # ADDRESSES - addresses of individual interfaces on this Cisco. This # allows cflowd to accept packets with a source address of # one of the interfaces, but still map the data to this # Cisco. # # CFDATAPORT - the port to listen on for packets arriving from the # Cisco via flow-export. This should match the port # argument of the 'ip flow-export ...' config line on # the Cisco. # # LOCALAS - This is used to substitute an AS number when cflowd gets # data with an AS number of 0. This is a kludge workaround # due to prefix cache misses on the Cisco and should be used # carefully (set it to 0 to not do substitution). # # SNMPCOMM - SNMP community for the router. This is used by # cflowd to get interface names and IP addresses via SNMP. # The community should be enclosed in single quotes. # # COLLECT - What to save from the flow-export data received by the # Cisco. The possible collect options: # # protocol - IP protocol table (pkts/bytes per protocol... # ICMP, UDP, TCP, IGMP, etc.) # # portmatrix - port matrix. Pkts/bytes from port A to port B. # # ifmatrix - interface matrix. Pkts/bytes from interface A # to interface B. # # nexthop - nexthop table. Pkts/bytes to each IP next hop. # # netmatrix - network matrix. pkts/bytes from # network A to network B. # # asmatrix - AS matrix. pkts/bytes from AS A to AS B. # # tos - TOS (Type Of Service) table. pkts/bytes vs. IP TOS. # # flows - raw flow data. # #--------------------------------------------------------------------------- CISCOEXPORTER { HOST: 10.5.4.75 # IP address of Cisco sending data. ADDRESSES: { 10.5.4.75 } # Addresses of interfaces on Cisco CFDATAPORT: 2055 # Port on which to listen for data. COLLECT: { flows } }