Configuring a New Linux OS
Please prepare Redhat / Centos operating system with a minimal install on a decently specced machine.
CySight installs by default in the "/" partition under "/digitoll. To make installation simpler please allocate sufficient space to "/".
Some default partitions will be created by Linux installation which automatically create a small "/" and large "/home". If you dont change the partition sizes you can always copy the database to another partition after CySight installation and simply change the datadir in /etc/my.cnf. More on this below.
Disable SELinux
To Confirm SELinux is disabled run : "selinuxenabled && echo enabled || echo disabled"
If SELinux is enabled please edit "/etc/selinux/config" and set parameter "SELINUX=disabled"
After saving reboot the server for SELinux change to take effect.
For those environments that require SELinux please enable SELinux and restart the server. Then use semanage and allow port 3306, 30000, 30001 and allow access to /digitoll and subdirectories and any additional paths where the database resides on partitions outside of standard installation.
Disable ipv6
Edit grub config
#nano /etc/default/grub
add "ipv6.disable=1 " before "crashkernel=auto" in GRUB_CMDLINE_LINUX
update the GRUB configuration file
# grub2-mkconfig -o /boot/grub2/grub.cfg
restart your computer
After reboot confirm ipv6 is disabled run :
# ip a | grep inet6
Full instructions can be found here : https://linuxhint.com/disable_ipv6_centos7/
Apply operating system patch and install telnet client
yum install perl-ExtUtils-Embed
NOTE: CENTOS 7 additional steps
yum install net-tools
yum install iptables-services
systemctl stop firewalld
systemctl mask firewalld
systemctl enable iptables
systemctl start iptables
Install additional tools
yum install tcpdump
yum install net-snmp-utils
yum install wget
yum install telnet
yum install /lib/ld-linux.so.2
Install CySight
Download latest version
Download CySight and register to receive a license key.
Copy to an empty directory eg /home/nfasupport/9.9.9 and unarchive
tar xf NetFlowAuditor-v9.9.9.tar
./install.sh
At this point you have installed and CySight will have automatically started running.
Follow the instructions of the Setup. After installation please follow the Getting Started instructions and install the license key.
We highly recommend you also make the changes as suggested below as they will increase the speed of your analytics and ensure your hardware is being used to its fullest potential.
ADVANCED INSTALLATION TWEAKING
Changing the Database Location
After installing CySight if you need to move the database to a larger partition you need to stop the mysql service and change location as per instructions in How to move your database directory
Configuring CySight
Flows can be excessive in large ISP and Campus environments. The below tweaks can be applied to reduce or eliminate loss.
The Confluence of them will assist in smoothing out collection based loss. In large environments CySight can be configured into a cluster of helpers plus database server.
Configure system Buffers (See below Operating system Tuning)
Configure DigiToll.ini (See below CySight Tuning, Dump Time and Retention)
Operating system tuning
The system socket buffer and UDP buffer will allow more flows to be collected.
When flows exceed the collector hardware capacity flows could be impacted.
/etc/sysctl.conf
...
net.core.rmem_max=134217728
net.core.rmem_default=134217728
net.ipv4.udp_mem=33554432 33554432 33554432
...
After changing/adding the buffers to sysctl.conf apply the changes:
# sysctl -p
CySight tuning
Sampling
CySight scales well beyond other flow collection software. Even so sampling can still be used successfully to reduce loss and enhance collection performance. Some routers and switches force sampling. Each device once discovered must be configured with the sampling ratio set on the Exporter Device.
DigiToll.ini - UDP Buffer
Change the UDPBuffer parameter to 16M
/digitoll/tmp/digitoll.ini
...
UDPBuffer = 16777216
...
Dump Time
Reducing the dump time allows memory collection to be cleared faster and allows the CySight aggregator and data insertion processing to run more efficiently.
Test slowly. Change to 30 seconds and Confirm.
Then allow a period of processing and confirm the results in Data Collection Tuning for each minute. After period if loss still occurs repeat this process
Flow Retention Rate
This can be set to retain 1 in N flow records, This is different to device packet sampling which we already support.
The flows that are tuned in this method retain Interface, Tos and or Business Groups. And is useful both for Professional and Performance collection modes.
Non Retained flow policy refers to what information is retained in any flow retention rate aggregation.
Data Collection Tuning
This can be set to aggregate various aspects of the flow. For example aggregating up the ephemeral ports of well known ports can reduce collection size and smooth out performance in high-flow / high-retention environments.
tmpfs or RamDisk
Ram filesystems can substantially speedup processing where a CPU and I/O may be impacting collection. CySights transient files can be configured to use tmpfs or a ramdisk
By Default Redhat/Centos creates a tmpfs partition on /dev/shm. This is usually quite a large chunk of RAM that is dynamically available as a partition that can be easily loaded and managed by fstab.
The main benefit of tmpfs is that it only uses as much RAM (or swap) as is needed to store the files. In contrast, a 500MB ramdisk will use that much RAM whether it is 10% full or 100% full.
Change the tmpfs setting:
Edit "/etc/fstab" and change the tmpfs entry the "noatime,nodiratime" options to remove time stamping (this is not mission critical but it saves extra processing cycles).
In /usr/local/digitoll/conf/digitoll.ini
change dumpDir, remoteDir and localDir to use the tmpfs.
[Directories]
dumpDir = /dev/shm/dump
remoteDir = /dev/shm/export
localDir = /dev/shm/import
No need to create the subdirectories we create them if they don’t exist
CySight must be restarted to make use of the tmpfs ram disk:
service digitoll stop
service digitoll start
Documentation
Further Version 7 Documentation can be found in CySight Knowledge base with latest documentation guides available on Visual Analytics, Multiviews, Forensics , IPv6 and more.