LINUX - ipfm NETWORK MONITORING LOGS - IP FLOW METER - ipfm.conf EXAMPLE CONFIG

ipfm is a great program for generating daily and hourly reports of your network traffic. It organizes it based on which host communicated the most to a certain interface of the machine ipfm is on:

Example output of a log:

# IPFMv0.11.5 2013/03/28 05:00:00 (UTC) -- dump every 0d01:00:00 -- listening on eth0
# Host                                  In (bytes)    Out (bytes)  Total (bytes)
172.20.18.243                           2539141157        8233657     2547374814
172.20.18.115                              8230231     2539139451     2547369682
172.20.18.155                                    0          18236          18236
172.20.18.215                                    0          17751          17751
172.20.18.247                                   44           9187           9231
172.20.18.119                                    0           3620           3620
172.20.18.255                                 1634              0           1634
172.20.18.49                                     0            112            112
# end of dump 2013/03/28 05:00:00

As you can see this can be useful. You can have ip addresses resolved if you want.

Anyhow here is how to set it up:

SETUP

(STEP0)
Use putty or teraterm to log in to your linux machine

(STEP1)
Update your repositories and install ipfm
apt-get update
apt-get install ipfm

(STEP2)
mv /etc/ipfm.conf /etc/ipfm.conf-bak

(STEP3)
vi /etc/ipfm.conf

(STEP4)
When inside vim just hit the i key to enter insert mode

Copy my config from this website (LOOK BELOW FOR THE /etc/ipfm.conf CONFIG) - so select it all and hit control-C to copy it

Left click once  in the shell(putty, teraterm, whatever) where vim is open

Right click once in the shell - the right click will paste the copied material

Make sure its in there good - modify my local subnet numbers to match yours (so everywhere you see 172.20.18.0/255.255.255.0, change it to meet your network)

Once its in there good hit ESCAPE

Hit the following keys to save and exit :wq! (that would be SHIFT+; to get the : and then w key and then q key and the SHIFT+1 to get the ! key)

(STEP5)
Start the program
ipfm

-Note: IPFM installs it self as a service that starts when system boots - the reason we start it here though is because its disabled first because the first config in place by the installation is set to "DISABLE" which we fix and therefore "ENABLE" by putting in my config file. As a side note to this with IPFM there is no ENABLE command, only a DISABLE command.
    In future to stop ipfm:
                /etc/init.d/ipfm stop
                (or)
                service ipfm stop
                (or)
                killall ipfm
    In future to start ipfm:
                /etc/init.d/ipfm start
                (or)
                service ipfm start
                (or)
                ipfm
                (or)
                Or just reboot system

(STEP6)
Thats it now to view your logs - they will be building up daily - go to /var/log/ipfm and cat/read thru the logs/
cd /var/log/ipfm
ls
cat subnet-27-Mar-of-2013-at-05-00-hourly


MY CONFIG THAT DOES ALMOST EVERYTHING

### IPFM Sample Config File by Kossboss 3-27-2013
### MORE INFO ON "IPFM" AND ITS CONFIG FILE "IPFM.CONF" FOUND HERE:
### =============================================
### SIDE NOTE: To view these without the lengthy comments "cat /etc/ipfm.conf | grep ^[^#]"
### SIDE NOTE: You can do that technique to extract out the important stuff from linux config
### SIDE NOTE: "cat configfile | grep ^[^#\;]" This considers lines starting with # and ; as comments
### =============================================
### This config file logs traffic in and out of my linux server 
### It logs globally (all traffic) and local traffic only
### =============================================
### I have 2 subversions Resolved logs and None Resolved logs 
### the numbers traffic numbers in them should match between Resolved and None Resolved logs
### The only difference will be in how the hosts are represented: IP or Hostname
### =============================================
### I then have 2 subversions again splitting it into Hourly and Daily Logs
### Hourly logs reset their traffic counters back to zero every hour
### Daily logs reset their traffic counters back to zero each day
### =============================================
### The nameing scheme I chose was that files of the same type come up close together for a certain time
### For example the global logs at 3pm:
### global-[however-3pm is represented]-daily
### global-[however-3pm is represented]-daily-R
### global-[however-3pm is represented]-hourly
### global-[however-3pm is represented]-hourly-R
### The R stands for resolved names
### =============================================

### SECTIONS SPLIT INTO VARIABLES AND GLOBAL VARIABLES

### Here are the GLOBAL VARIABLES - IPFM can only monitor one interface when running so I picked my main one eth0
### To find your main interface run "ifconfig" - The "UTC" means I want the time in UTC - the other option is "local"

DEVICE eth0
LOCAL

# BREAK DOWN OF MY LOGGING SCHEME:
# the subnet logs are strictly only for the logs within this 172.20.18.x subnet
# the BOTH in the subnet logs make sure the to and from address are 172.20.18.x
# the global logs just log everything with no restriction on where a packet goes to and from
# the daily ones clear their numbers daily
# the hourly ones clear their numbers hourly
# the logs get dumped every hour
# everything in the end result is sorted by total
# im going to have 2 versions of the logs resolved names and not resolved names

### EVERY NEW LOG BEGINS WITH NEWLOG - INSIDE IT ARE THE LOCAL VARIABLES THAT ONLY AFFECT THAT LOG
### THE WORD "LOG" BY IT SELF LOGS EVERYTHING, WITH OPTIONS IT CAN LOG ONLY SELECT SUBNETS OR IPS
### "DUMP" SPECIFIES WHEN TO CREATE THE FILE WITH FILENAME "FILENAME"
### "CLEAR" SPECIFIES WHEN TO CLEAR THE LOG COUNTERS
### "SORT" SPECIFIES HOW TO SORT BY INBOUND or OUTBOUND or TOTAL TRAFFIC NUMBERS
### "RESOLVE" MAKES IT DO REVERSE DNS AND RESOLVE THE HOST NAME WHEN IT DUMPS THE FILES

# NONE RESOLVED NAMES

NEWLOG
LOG
DUMP EVERY 1 hour
CLEAR EVERY 1 day
SORT TOTAL
FILENAME "/var/log/ipfm/global-%d-%b-of-%Y-at-%H-%M-daily"

NEWLOG
LOG
DUMP EVERY 1 hour
CLEAR EVERY 1 day
SORT TOTAL
FILENAME "/var/log/ipfm/global-%d-%b-of-%Y-at-%H-%M-hourly"

NEWLOG
LOG BOTH 172.20.18.0/255.255.255.0
DUMP EVERY 1 hour
CLEAR EVERY 1 day
SORT TOTAL
FILENAME "/var/log/ipfm/subnet-%d-%b-of-%Y-at-%H-%M-daily"

NEWLOG
LOG BOTH 172.20.18.0/255.255.255.0
DUMP EVERY 1 hour
CLEAR EVERY 1 day
SORT TOTAL
FILENAME "/var/log/ipfm/subnet-%d-%b-of-%Y-at-%H-%M-hourly"

# RESOLVED NAMES - Note the reverse DNS slows everything down but its okay

NEWLOG
LOG
DUMP EVERY 1 hour
CLEAR EVERY 1 day
SORT TOTAL
FILENAME "/var/log/ipfm/global-%d-%b-of-%Y-at-%H-%M-daily-R"
RESOLVE

NEWLOG
LOG
DUMP EVERY 1 hour
CLEAR EVERY 1 day
SORT TOTAL
FILENAME "/var/log/ipfm/global-%d-%b-of-%Y-at-%H-%M-hourly-R"
RESOLVE

NEWLOG
LOG BOTH 172.20.18.0/255.255.255.0
DUMP EVERY 1 hour
CLEAR EVERY 1 day
SORT TOTAL
FILENAME "/var/log/ipfm/subnet-%d-%b-of-%Y-at-%H-%M-daily-R"
RESOLVE

NEWLOG
LOG BOTH 172.20.18.0/255.255.255.0
DUMP EVERY 1 hour
CLEAR EVERY 1 day
SORT TOTAL
FILENAME "/var/log/ipfm/subnet-%d-%b-of-%Y-at-%H-%M-hourly-R"
RESOLVE

SOME GOOD LINKS:
Comments