Configuring a New Linux OS
Please prepare Redhat / Centos operating system with a minimal install on a decently specced machine.
CySight installs by default in the "/" partition under "/digitoll. To make installation simpler please allocate sufficient space to "/".
Some default partitions will be created by Linux installation which automatically create a small "/" and large "/home". If you dont change the partition sizes you can always copy the database to another partition after CySight installation and simply change the datadir in /etc/my.cnf. More on this below.Disable SELinux
To Confirm SELinux is disabled run : "selinuxenabled && echo enabled || echo disabled"
If SELinux is enabled please edit "/etc/selinux/config" and set parameter "SELINUX=disabled"
After saving reboot the server for SELinux change to take effect.
For those environments that require SELinux please enable SELinux and restart the server. Then use semanage and allow port 3306, 30000, 30001 and allow access to /digitoll and subdirectories and any additional paths where the database resides on partitions outside of standard installation.Disable ipv6Edit grub config
add "ipv6.disable=1 " before "crashkernel=auto" in GRUB_CMDLINE_LINUXupdate the GRUB configuration file
# grub2-mkconfig -o /boot/grub2/grub.cfg
restart your computer
After reboot confirm ipv6 is disabled run :
# ip a | grep inet6
Full instructions can be found here : https://linuxhint.com/disable_ipv6_centos7/ Apply operating system patch and install telnet client
yum install perl-ExtUtils-EmbedNOTE: CENTOS 7 additional steps
yum install net-tools
yum install iptables-services
systemctl stop firewalld
systemctl mask firewalld
systemctl enable iptables
systemctl start iptablesInstall additional tools
yum install tcpdump
yum install net-snmp-utils
yum install wget
yum install telnet
yum install /lib/ld-linux.so.2Install CySight Download latest version Download CySight and register to receive a license key
Copy to an empty directory eg /home/nfasupport/9.9.9 and unarchive
tar xf NetFlowAuditor-v9.9.9.tar
At this point you have installed and CySight will have automatically started running.
Follow the instructions of the Setup. After installation please follow the Getting Started
instructions and install the license key.
We highly recommend you also make the changes as suggested below as they will increase the speed of your analytics and ensure your hardware is being used to its fullest potential.ADVANCED INSTALLATION TWEAKING Changing the Database Location
After installing CySight if you need to move the database to a larger partition you need to stop the mysql service and change location as per instructions in How to move your database directory Configuring CySight
Flows can be excessive in large ISP and Campus environments. The below tweaks can be applied to reduce or eliminate loss.
The Confluence of them will assist in smoothing out collection based loss. In large environments CySight can be configured into a cluster of helpers plus database server.
Configure system Buffers (See below Operating system Tuning)
Configure DigiToll.ini (See below CySight Tuning, Dump Time and Retention)Operating system tuning
The system socket buffer and UDP buffer will allow more flows to be collected.
When flows exceed the collector hardware capacity flows could be impacted.
net.ipv4.udp_mem=33554432 33554432 33554432
After changing/adding the buffers to sysctl.conf apply the changes:
# sysctl -pCySight tuningSampling
CySight scales well beyond other flow collection software. Even so sampling can still be used successfully to reduce loss and enhance collection performance. Some routers and switches force sampling. Each device once discovered must be configured with the sampling ratio set on the Exporter Device.DigiToll.ini - UDP Buffer
Change the UDPBuffer parameter to 16M
UDPBuffer = 16777216
Reducing the dump time allows memory collection to be cleared faster and allows the CySight aggregator and data insertion processing to run more efficiently.
Test slowly. Change to 30 seconds and Confirm.
Then allow a period of processing and confirm the results in Data Collection Tuning for each minute. After period if loss still occurs repeat this process Flow Retention Rate
This can be set to retain 1 in N flow records, This is different to device packet sampling which we already support.
The flows that are tuned in this method retain Interface, Tos and or Business Groups. And is useful both for Professional and Performance collection modes.
Non Retained flow policy refers to what information is retained in any flow retention rate aggregation.Data Collection Tuning
This can be set to aggregate various aspects of the flow. For example aggregating up the ephemeral ports of well known ports can reduce collection size and smooth out performance in high-flow / high-retention environments.tmpfs or RamDisk
Ram filesystems can substantially speedup processing where a CPU and I/O may be impacting collection. CySights transient files can be configured to use tmpfs or a ramdisk
By Default Redhat/Centos creates a tmpfs partition on /dev/shm. This is usually quite a large chunk of RAM that is dynamically available as a partition that can be easily loaded and managed by fstab.
The main benefit of tmpfs is that it only uses as much RAM (or swap) as is needed to store the files. In contrast, a 500MB ramdisk will use that much RAM whether it is 10% full or 100% full.
Change the tmpfs setting:
Edit "/etc/fstab" and change the tmpfs entry the "noatime,nodiratime" options to remove time stamping (this is not mission critical but it saves extra processing cycles).
change dumpDir, remoteDir and localDir to use the tmpfs.
dumpDir = /dev/shm/dump
remoteDir = /dev/shm/export
localDir = /dev/shm/import
No need to create the subdirectories we create them if they don’t exist
CySight must be restarted to make use of the tmpfs ram disk:
service digitoll stop
service digitoll start Documentation
Further Version 7 Documentation can be found in CySight Knowledge base
with latest documentation guides
available on Visual Analytics