{{tag>[flowviewer centos 7]}}

=====FlowViewer on CentOS 7=====
This page describes the installation of [[http://sourceforge.net/p/flowviewer/wiki/Home/|FlowViewer]] on CentOS 7  for NetFlow reporting.

Quote FlowViewer wiki: //"FlowViewer has been developed for NASA’s Earth Sciences Data and Information System (ESDIS) networks, and credit goes to NASA for their usual outstanding support of innovation."// 

=====Prerequisites=====
  * Install development tools:<code>yum groupinstall development tools
yum install glib2-devel</code>
  * Install libraries and source code:<code>yum install zlib zlib-devel lzo lzo-devel libpcap libpcap-devel gnutls gnutls-devel python-devel c-ares c-ares-devel openssl-devel </code>
  * Install webserver and dependencies:<code>yum install httpd gd perl-GD perl-GDGraph perl-GDTextUtil rrdtool
systemctl enable httpd
systemctl start httpd</code>
  * Download, compile and install libxbuf from [[http://tools.netsa.cert.org/fixbuf/]]:<code>tar zxvf libfixbuf-1.6.2.tar.gz
./configure && make && make install
</code>
  * Download, compile and install netsa from [[http://tools.netsa.cert.org/netsa-python/index.html]]:<code>tar zxvf netsa-python-1.4.3.tar.gz
python setup.py build
python setup.py install</code>

  * Download, compile and install libipa from [[http://tools.netsa.cert.org/ipa/download.html]]:<code>tar zxvf ipa-0.5.2.tar.gz
./configure && make && make install</code>
  * Add /usr/local/lib to library path. <code>echo /usr/local/lib >>/etc/ld.so.conf.d/local.conf
ldconfig -v</code>
=====Install SiLK=====
  * Download SiLK from: [[http://tools.netsa.cert.org/]]
  * Extract tar.gz file:<code>tar zxvf silk-3.10.1.tar.gz</code>
  * Configure and compile:<code>
mkdir -p /opt/silk/data
./configure \
          --enable-data-rootdir=/opt/silk/data \
          --prefix=/opt/silk \
          --enable-output-compression \
          --with-libipa=/usr/local/lib/pkgconfig \
          --with-libfixbuf=/usr/local/lib/pkgconfig

make
make install

************************************************************
Example site configuration files have been installed in
    /opt/silk/share/silk/*-silk.conf
Choose the file that matches your packing logic plug-in
and/or installation, rename it to silk.conf, customize it,
and copy it to the root of the data directory:
    /opt/silk/data/silk.conf
************************************************************
</code>

=====Configure SiLK=====
  * Create /opt/data/silk.conf:<code>cp /opt/silk/share/silk/twoway-silk.conf /opt/silk/data/silk.conf</code>
  * Edit silk.conf for example:<code>sensor 0 uplink    "Uplink"

class all
    sensors uplink
end class</code>
  * Specify local address space:<code>cd /opt/silk/share/silk
cp addrtype-templ.txt addresses.txt
vi addresses.txt
  # My IP space (CMU)
  128.2.0.0/16        internal

/opt/silk/bin/rwpmapbuild --input addresses.txt --output address_types.pmap
</code>
  * Install Country Code mapping (legacy format). Download CSV from [[http://dev.maxmind.com/geoip/legacy/geolite/]]:<code>unzip -p GeoIPCountryCSV.zip | \
          /opt/silk/bin/rwgeoip2ccmap --csv-input > country_codes.pmap

cp country_codes.pmap /opt/silk/share/silk/country_codes.pmap</code>
  * Create /opt/silk/data/sensor.conf:<code>probe uplink netflow-v9
     listen-on-port 9901
     protocol udp
     accept-from-host 1.2.3.1
end probe
sensor uplink
     netflow-v9-probes uplink
     internal-ipblock 1.2.3.0/24
     external-ipblock remainder
end sensor</code>
  * Create /opt/silk/etc/rwflowpack.conf:<code>ENABLED=yes
BIN_DIR=/opt/silk/sbin
DATA_ROOTDIR=/opt/silk/data
PID_DIR=/var/run
SENSOR_CONFIG=/opt/silk/data/sensor.conf
SITE_CONFIG=/opt/silk/data/silk.conf
INPUT_MODE=stream
OUTPUT_MODE=local-storage
LOG_TYPE=legacy
LOG_DIR=/opt/silk/log
LOG_LEVEL=info
CREATE_DIRECTORIES=yes</code>
  * Enable (legacy) service:<code>cp /root/silk-3.10.1/src/rwflowpack/rwflowpack.init.d /etc/init.d/rwflowpack
chkconfig rwflowpack on
service rwflowpack start</code>

=====Configure NetFlow v9 for RouterOS=====
  * Put source in trusted zone, add udp port:<code>firewall-cmd --permanent --zone=trusted --add-source=1.2.3.1
firewall-cmd --permanent --zone=trusted --add-port=9901/udp
firewall-cmd --reload
firewall-cmd --zone=trusted --list-all
</code>
  * On RouterOS add flow config:<code>/ip traffic-flow target add version=9 address=1.2.3.4:9901
/ip traffic-flow set enabled=yes interfaces=bridge1-uplink
/ip firewall filter chain=output action=accept protocol=udp dst-address=1.2.3.6 dst-port=9901
</code>
=====Test query=====
  * Test SiLK with a query:<code>/opt/silk/bin/rwfilter --sensor=uplink --proto=0-255 --pass=stdout --type=all | /opt/silk/bin/rwcut | tail</code>

=====Install FlowViewer=====
  * Download FlowViewer: [[http://sourceforge.net/projects/flowviewer/files]]
  * Open port to webserver:<code>firewall-cmd --permanent --zone=trusted --add-service=http
firewall-cmd --reload
firewall-cmd --zone=trusted --list-all</code>
  * Untar into /var/www/cgi-bin subdirectory:<code>cd /var/www/cgi-bin
tar xvf /root/FlowViewer_4.6.tar</code>
  * Configure FlowViewer_Configuration.pm variables as necessary.
  * Allow write access for FlowViewer:<code>semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/FlowGrapher(/.*)?"
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/FlowMonitor(/.*)?"
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/FlowViewer(/.*)?"
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/FlowViewer_Dashboard(/.*)?"
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/FlowViewer_Saves(/.*)?"

restorecon -Rv /var/www/html</code>
  * Create all necessary directories with proper permissions.
  * Copy FlowViewer.css, FlowViewer.png to $reports_directory.
  * Start FlowMonitor_Collector, FlowMonitor_Grapher in background.
  * Point browser to FV.cgi