Welcome to docs.opsview.com

NetFlow Sources

Sources are the devices that send NetFlow/sFlow data to collectors. Sources must be configured as a host in Opsview.

Configuration is changed in the Opsview database and will be made live when an Opsview reload is run.

Note: When a source is deleted, its data will be removed gradually via the housekeeping process.

Active

You can deactivate a source so that data is not collected.

Type

Type of source packets - NetFlow or sFlow.

Host

This is the host expected on the configured port of the collector. You also have to set the IP address that is expected of your NetFlow source, so that Opsview can distinguish between different sources sending data to the same collector.

You must configure your NetFlow source so that is pointing to the collector on that particular port. Set the cache timeout interval to 1 minute.

The list of available hosts will be limited based on the hosts monitored by this collector, and by the host groups selection for your role.

Note: In a slave cluster system, you must configure your NetFlow/sFlow source to send to all cluster nodes to ensure redundancy if a node fails.

IP Address

Opsview will reverse lookup the IP address of the host selected.

You can override the IP address if there is a specific IP that the NetFlow source will send its information to the collector (for instance, via a different interface).

Troubleshooting

I am not receiving any data for a source

This could be because the IP address specified is not the one that is received on the collector. Run this command to see which IP the data is being received from:

tcpdump -n -i eth0 port 9995 and udp

For instance, a NetFlow device could use a different network interface (depending on the route to the collector), which would lead to an unexpected IP address as the sender.

How can I tell if data is stored?

This is monitored by the service check Opsview NetFlow Collector Processes.

Check the data directory /var/opt/opsview/netflow/data. This will have one directory for each source, based on the source's host id number.

Inside this directory, there will be a file called nfcapd.current.PID where PID is the number for the nfcapd process. The modification time for this file will change each minute.

This proves that the nfcapd process is listening for information.

Every minute, a new file will be created with the directory structure of YYYY/MM/DD and a file of the name nfcapd.YYYYMMDDHHMM. If this file is greater than 276 bytes, then data is being captured.

Navigation
Print/export
Toolbox