The procedure for starting and stopping FlowTraq Server depends on the host operating system.
On all versions of Windows, use the Services control panel.
Click Start, then Run, enter "services.msc" in the Run field, and click Run.
In the table that appears, find "ProQueSys FlowTraq Server".
Start or stop FlowTraq Server by right-clicking its entry in the table and selecting the appropriate menu item.
On Mac OS X, use launchctl. Open a Terminal window (from Applications->Utilities) and use the following commands to start and stop FlowTraq Server.
% sudo launchctl load / /Library/LaunchDaemons/com.proquesys.flowtraq.plist % sudo launchctl unload / /Library/LaunchDaemons/com.proquesys.flowtraq.plist
On Linux systems, use the launch script in /etc/init.d
. Open a shell and use the following commands to start and stop FlowTraq Server.
% sudo /etc/init.d/flowtraq start % sudo /etc/init.d/flowtraq stop
On BSD, use the launch script in /etc/rc.d
. Open a shell and use the following commands to start and stop FlowTraq Server.
% sudo /etc/rc.d/flowtraq start % sudo /etc/rc.d/flowtraq stop
It is not necessary to shut down FlowTraq Server in order to back up the session database.
To back up the session database, take the following steps:
Copy the full contents of the session database directory to the backup location.
Session Database Location The default location of the session database depends on the host platform.
On Windows, it is
C:\Program Files\ProQueSys\FlowTraq Server\SESSIONDB
.On Mac OS X, it is
/Library/Application Support/flowtraq/SESSIONDB
.On Linux/Solaris/FreeBSD, it is
/opt/flowtraq/SESSIONDB
.Note that if you edited FlowTraq Server's configuration file or selected a non-default installation directory or session database directory during installation, the session database may be located somewhere else. Check the Performance preference panel of FlowTraq Client.
Copy just the index again; that is, re-copy the
ns2xxxxx.metadb
file from the session database directory to the backup location.
Performing the backup in this way helps ensure that the indices are up-to-date. Although it is still theoretically possible to back up an out-of-date index with this technique, the alternative (having to shut the server down for the duration of the backup procedure) would result in significantly more data loss.
Important | |
---|---|
If a serious gap in data is found after a recovery, take the following steps.
This will force a re-indexing of the existing data and ensuring data consistency. Note, however, that this operation takes time. |
To clear the FlowTraq session database, take the following steps:
Stop FlowTraq Server. (See Section 10.3.1, “Starting and Stopping FlowTraq Server” for more information on starting and stopping FlowTraq Server.)
Delete the contents of the session database directory. (Alternatively, move the contents to another folder).
Start FlowTraq Server.
Upon restart, the session database directory will be repopulated with files corresponding to an empty database.
FlowTraq Server keeps its main configuration parameters stored in a configuration file named flowtraq.conf
. This file is located in FlowTraq Server's installation directory.
Important | |
---|---|
FlowTraq Server may overwrite this file as a result of changes made from FlowTraq Client. |
The format of flowtraq.conf
is plain text and is described below. You may edit it using your choice of text editor. However, in order for the changes to take effect, you must either restart FlowTraq Server (Windows) or signal it (all other operating systems). See Section 10.3.1, “Starting and Stopping FlowTraq Server” for more information on starting and stopping FlowTraq Server.
On non-Windows platforms, signal FlowTraq Server by sending the SIGHUP
or "hang-up" signal to the flowtraq
process. To do this, take the following steps:
Discover the process ID (PID) of the
flowtraq
process by using theps
command:% ps -ef | grep flowtraq
The PID will be among the output of the
ps
command.(Altenatively, you may read the contents of the PID file stored in /var/run/flowtraq.pid. Note that this technique works on all Unix platforms except Mac OS X.)
Use
kill
to send theSIGHUP
signal toflowtraq
, using the PID you found in step 1:% kill -HUP XXXX
The FlowTraq configuration file is organized in a key/value-pair hierarchy. In general, configuration keys can appear in any order in the file; however, some related keys must be placed together in sections, which are opened with <section-name>
tags and closed by </section-name>
tags.
Below is a typical flowtraq.conf
.
Notice the sections on <netflow>
, <sflow>
, <sessiontables>
, <mail>
, and <storage>
. We will refer to keys in these sessions in their "path" notation: sflow/sflowport
, indicating that they belong to a specific configuration section.
-
querythreads
The number of threads the server keeps available to service queries and generate alerts and reports. If there are 4 pending queries, and 3 querythreads, one query will have to wait for a thread to become available before being serviced. Any value between 3 and 6 will usually suffice. We recommend using at least 2 querythreads. The maximum is 20. Each querythread will consume about 100MB of RAM.
-
ip2cfile
This is the file that FlowTraq Server uses to resolve IP addresses to country codes. It is a compilation of the IP-to-country files provided by various Internet registries around the world. Each version of FlowTraq ships with an updated file. If you would like to receive updates to this file between FlowTraq releases, please contact FlowTraq support.
-
servicesfile
This is the file that FlowTraq Server uses to resolve server port numbers to application names. It is formatted the same as the common Unix
/etc/services
file. You can add your own service names to this file.-
alertslogfile
This file records all data-driven alerts that are generated by the software. This file will grow over time, and is not automatically rotated.
-
user
The registered user name associated with the license key. License keys are issued in combination with a username, so it is important to copy your user name accurately.
-
license
The license key that authorizes FlowTraq. License keys generally look similar to
FlowTraq_FULL-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX
.-
listenport
By default, FlowTraq Server listens on port 9640 for client connections. If you change the listen port number to a privileged port (1024 and below), make sure that FlowTraq Server process runs with administrative privileges.
-
sessiontables/conntracksize
Flow data is unidirectional, meaning that the two sides of a conversation are reported independently. For example, if client A requests a webpage from server B, then the flow export data will report separately on the traffic flowing from A to B and from B to A. FlowTraq Server is capable of re-assembling this into a full session record where both sides are put together again. This is done in the connection tracking engine. The number of slots in this engine determines how many concurrent connections can be re-assembled by the FlowTraq Server. A good rule of thumb for determining a sensible value for this key can be computed by counting the number of actively used systems on your network and multiplying that by 400. Another approach is to monitor the number of flows per hour on a busy day, and use the peak number as your value for this key. Each record occupies about 220 bytes of RAM. The value reflects the number of slots allocated, not the amount of memory occupied; multiply by 220 to get the required RAM size. The default value is conservative. Consider increasing this value if RAM is available.
-
sessiontables/memcachesize
The memory cache in FlowTraq Server caches the most recent flow records in RAM. This allows queries for recent timeframes to run very quickly, as they do not need to retrieve records from the disk database. In general, the larger this cache is, the farther back in time queries can be serviced from RAM without reading from disk. Each record occupies about 160 bytes of memory. Determine your
conntracksize
first, before allocating RAM to the memory cache, as records are moved through the connection tracking engine to the memory cache. The value reflects the number of slots allocated, not the amount of memory occupied; multiply by 160 to get the required RAM size. The default value is conservative. Consider increasing this value if RAM is available.-
sessiontables/timeout
By default, records that are in the active conntrack are moved to the memory cache after about 2 hours (7200 seconds). If you set this value to 0, then the records will stay in the connection tracker until it is full. At that point, the connection tracker will move the least recently updated sessions to the memory cache to make room for new incoming flows. Set any other value to change the default timeout. Value is in seconds. The default value is recommended.
-
sessiontables/toolong
This value controls the breaking up of sessions that are very long-lived into chunks that get stored to disk separately. By default, if a session lasts longer than 8 hours (28800 seconds), then it is split up into multiple records. A flow lasting 24 hours would be stored in 3 session records of 8 hours each. If you don't like this behavior, set this value to 0 to disable it. Breaking very long session up into chunks yields a performance increase when queries are serviced from disk. It has no impact on memory based queries. The default value is recommended.
-
sessiontables/resizable
The session tables consist of the connection tracking table and the memory cache. By default, these two tables can be resized by storing a different value for their keys to the main configuration file and sending a SIGHUP signal to the FlowTraq Server process. Another way to resize these tables is to move the slider in FlowTraq Client's Memory preferences panel. The ability to resize these tables adds flexibility to FlowTraq's configuration, especially if you are still tuning your parameters. However, a slight performance increase can be realized by fixing the size of these tables to their values given at startup. To fix their sizes, set the value of this key to
no
.-
netflow/netflowport
Typical NetFlow/cFlow/jFlow/IPFIX/NSEL exporters records to UDP/2055, UDP/9666, and/or UDP/9996. FlowTraq Server opens these three ports for collecting incoming datagrams. Each port gets its own input buffer and processing thread. This means that powerful servers under heavy flow load can benefit from opening more ports and configuring exporters to send flows to the alternative ports. Doing this effectively spreads the load and prevents flow packets being dropped. In most scenarios this will be unnecessary. You may enter up to 8 space-separated ports in this list. These ports will handle NetFlow v1/v5/v7/v9, cFlow, jFlow, IPFIX, and NSEL.
-
netflow/ipfixtcpport
IPFIX exporters can use TCP as the transport protocol. In this case the exporter connects to the FlowTraq server on the given TCP port to transport the IPFIX records. Similar to the UDP NetFlow configuration, opening multiple ports and distributing multiple exporters among them, will spread the CPU load over multiple threads, recuding congestion in busy networks.
-
netflow/ignoreoldnetflows
Some NetFlow exporters suffer from heavy time skew. This often happens if the system clocks of the exporters are not properly set. FlowTraq Server attempts to correct for this. This can be done accurately because the exporters include their sense of the correct time in each NetFlow packet. If the clock of the exporters is set correctly, but the included flow records appear very old, FlowTraq tries to correctly fit them into the history. This may happen, for instance, if you are using old PCAP files as the input source of your flows. By default, this behavior is enabled. If you want to prevent FlowTraq from accepting "old" flow records, then set this value to
no
.-
sflow/sflowport
By default, FlowTraq Server listens on port UDP/6343 for incoming sFlow packets. Similarly to the
netflowport
, you can enter multiple space-separated port numbers here to make FlowTraq Server listen on different or additional ports for sFlow datagrams. You may enter up to 4 ports in this list. These ports will handle sFlow v2/v4/v5.-
storage/storageinterval
FlowTraq Server continually tries to store new and updated records in the connection tracking table to the disk database. This is done in a round-robin style. After a pass through the connection tracker, the storage thread will take a brief pause of 5 seconds (by default). This allows systems with heavy I/O load to speed up queries that are serviced from the disk database. Systems under heavy flow load (over 20 million flows per hour) may benefit from setting this parameter to a value as low as 1, while systems with light flow load (up to 4 million flows per hour) can safely set this parameter to values as high as 60. Similarly, if you have very little RAM available, use a lower value, while if you have lots of RAM and a large
conntracksize
value, you can gain disk I/O performance by setting this value higher. In most situations this value does not need tuning.-
storage/databasepath
This is the location of the disk sessions database. FlowTraq Server will build a hierarchy of files in this directory as flows are received.
Caution It is not possible to change
storage/databasepath
while FlowTraq Server is running. You must shut down FlowTraq Server before you can changestorage/databasepath
.-
storage/segmentcount
The
storage/segmentcount
key sets the number of disk segments the on-disk session database is divided into.This key, together with
storage/segmentsize
(the number of session records stored in each disk segment), determines the overall size of the session database. Each session record occupies about 200 bytes, so the number of bytes that the database will use is approximately segmentcount x segmentsize x 200.FlowTraq uses a custom sequential database with time-based indexing. Records are grouped in segments of a fixed number of records. Each segment corresponds to a file on disk, and the number of segments in this database can have a substantial influence on the duration that disk-based queries will take.
Modern filesystems support directories with thousands of files in them, and FlowTraq can take advantage of many files, so it is safe to set the segmentcount in the thousands.
Tip If you set the database size via FlowTraq Client's Performance preference panel,
storage/segmentcount
andstorage/segmentsize
are set according to a formula.Tip Resizing a database is a gradual process. If you change the maximum size of the database, it will eventually grow or shrink to the new size as new session records arrive.
-
storage/segmentsize
The
storage/segmentsize
key sets the number of session records stored in each disk segment.This key, together with
storage/segmentcount
, determines the overall size of the session database. Please see the description forstorage/segmentcount
for more information on this key.-
userdata/userdatapath
FlowTraq stores all user settings, reports, and workspace files in a separate directory. By default this directory is named
USERDATA
and is created in FlowTraq Server's installation directory. By settinguserdatapath
, the location of these files can be changed.Caution It is not possible to change
storage/userdatapath
while FlowTraq Server is running. You must shut down the FlowTraq server before you can changestorage/userdatapath
.-
userdata/maxsessionkeyage
The commandline tools included with FlowTraq can establish a persistent session with the FlowTraq server based on pre-authenticated session keys. These keys can be generated with the '-us' option to any commandline tool, and subsequently used to re-authenticate from the same IP address for a short amount of time. The time-out of session keys can be configured with the 'userdata/maxsessionkeyage' in the server configuration file. The default timeout (in seconds) is 0, disabling the session key functionality. Set to a positive number to enable.
-
mail/server
The hostname or IP address of the SMTP server that FlowTraq should use to send e-mail notifications of user-configurable alerts.
-
mail/port
The port of the SMTP server that FlowTraq should use to send e-mail notifications of user-configurable alerts (usually 25).
-
mail/from
The e-mail address from which the alert notifications should appear to be sent from.
-
debuglevel
This determines how verbose FlowTraq should be when writing to
logfile
. In ascending order of verbosity, this key may be set to one of the following values: ALWAYS, CRITICAL, HIGH, MEDIUM, LOW. Be careful when using the more verbose settings such as LOW, as the log file may grow to be very large over time.-
maxclientlatency
This is the number of seconds that FlowTraq will wait for a client to acknowledge a session download before disconnecting the client. Raw session record downloads (with the GUI, or 'ns2sq') can consume a large amount of network resources, causing other clients to slow down. If a client does not respond to the FlowTraq server in the specified amount of time, the raw session download is cancelled. The default value is 60 seconds. Lower values are recommended for busier system. Set to 0 to disable this feature.