Config: Linux Config and Tuning Checklist

Installation instructions for CySight and supported Operating Systems

Config: Linux Config and Tuning Checklist

Configuring a New Linux OS

Please prepare Redhat / Centos operating system with a minimal install on a decently specced machine.

CySight installs by default in the "/" partition under "/digitoll. To make installation simpler please allocate sufficient space to "/".

Some default partitions will be created by Linux installation which automatically create a small "/" and large "/home". If you dont change the partition sizes you can always copy the database to another partition after CySight installation and simply change the datadir in /etc/my.cnf. More on this below.

Disable SELinux

To Confirm SELinux is disabled run : "selinuxenabled && echo enabled || echo disabled"

If SELinux is enabled please edit "/etc/selinux/config" and set parameter "SELINUX=disabled"
After saving reboot the server for SELinux change to take effect.

For those environments that require SELinux please enable SELinux and restart the server. Then use semanage and allow port 3306, 30000, 30001 and allow access to /digitoll and subdirectories and any additional paths where the database resides on partitions outside of standard installation.

Disable ipv6

Edit grub config
#nano /etc/default/grub

add "ipv6.disable=1 " before "crashkernel=auto" in GRUB_CMDLINE_LINUX

update the GRUB configuration file
# grub2-mkconfig -o /boot/grub2/grub.cfg

restart your computer

After reboot confirm ipv6 is disabled run :
# ip a | grep inet6

Full instructions can be found here : https://linuxhint.com/disable_ipv6_centos7/

Apply operating system patch and install telnet client

yum install perl-ExtUtils-Embed

NOTE: CENTOS 7 additional steps

yum install net-tools
yum install iptables-services

systemctl stop firewalld
systemctl mask firewalld
systemctl enable iptables
systemctl start iptables

Install additional tools

yum install tcpdump
yum install net-snmp-utils
yum install wget
yum install telnet
yum install /lib/ld-linux.so.2

Install CySight

Download latest version

Download CySight and register to receive a license key.

Copy to an empty directory eg /home/nfasupport/9.9.9 and unarchive

tar xf NetFlowAuditor-v9.9.9.tar
./install.sh

At this point you have installed and CySight will have automatically started running.

Follow the instructions of the Setup. After installation please follow the Getting Started instructions and install the license key.

We highly recommend you also make the changes as suggested below as they will increase the speed of your analytics and ensure your hardware is being used to its fullest potential.

ADVANCED INSTALLATION TWEAKING

Changing the Database Location

After installing CySight if you need to move the database to a larger partition you need to stop the mysql service and change location as per instructions in How to move your database directory

Configuring CySight

Flows can be excessive in large ISP and Campus environments. The below tweaks can be applied to reduce or eliminate loss.

The Confluence of them will assist in smoothing out collection based loss. In large environments CySight can be configured into a cluster of helpers plus database server.

Configure system Buffers (See below Operating system Tuning)
Configure DigiToll.ini (See below CySight Tuning, Dump Time and Retention)

Operating system tuning

The system socket buffer and UDP buffer will allow more flows to be collected.
When flows exceed the collector hardware capacity flows could be impacted.

/etc/sysctl.conf
...
net.core.rmem_max=134217728
net.core.rmem_default=134217728
net.ipv4.udp_mem=33554432 33554432 33554432
...

After changing/adding the buffers to sysctl.conf apply the changes:

# sysctl -p

CySight tuning

Sampling

CySight scales well beyond other flow collection software. Even so sampling can still be used successfully to reduce loss and enhance collection performance. Some routers and switches force sampling. Each device once discovered must be configured with the sampling ratio set on the Exporter Device.

DigiToll.ini - UDP Buffer

Change the UDPBuffer parameter to 16M

/digitoll/tmp/digitoll.ini
...
UDPBuffer = 16777216
...

Dump Time

Reducing the dump time allows memory collection to be cleared faster and allows the CySight aggregator and data insertion processing to run more efficiently.
Test slowly. Change to 30 seconds and Confirm.

Then allow a period of processing and confirm the results in Data Collection Tuning for each minute. After period if loss still occurs repeat this process

Flow Retention Rate

This can be set to retain 1 in N flow records, This is different to device packet sampling which we already support.

The flows that are tuned in this method retain Interface, Tos and or Business Groups. And is useful both for Professional and Performance collection modes.

Non Retained flow policy refers to what information is retained in any flow retention rate aggregation.

Data Collection Tuning

This can be set to aggregate various aspects of the flow. For example aggregating up the ephemeral ports of well known ports can reduce collection size and smooth out performance in high-flow / high-retention environments.

tmpfs or RamDisk

Ram filesystems can substantially speedup processing where a CPU and I/O may be impacting collection. CySights transient files can be configured to use tmpfs or a ramdisk

By Default Redhat/Centos creates a tmpfs partition on /dev/shm. This is usually quite a large chunk of RAM that is dynamically available as a partition that can be easily loaded and managed by fstab.

The main benefit of tmpfs is that it only uses as much RAM (or swap) as is needed to store the files. In contrast, a 500MB ramdisk will use that much RAM whether it is 10% full or 100% full.

Change the tmpfs setting:

Edit "/etc/fstab" and change the tmpfs entry the "noatime,nodiratime" options to remove time stamping (this is not mission critical but it saves extra processing cycles).

In /usr/local/digitoll/conf/digitoll.ini
change dumpDir, remoteDir and localDir to use the tmpfs.

[Directories]
dumpDir = /dev/shm/dump
remoteDir = /dev/shm/export
localDir = /dev/shm/import

No need to create the subdirectories we create them if they don’t exist
CySight must be restarted to make use of the tmpfs ram disk:

service digitoll stop
service digitoll start

Documentation

Further Version 7 Documentation can be found in CySight Knowledge base with latest documentation guides available on Visual Analytics, Multiviews, Forensics , IPv6 and more.