The Configure page is used to divide the network into administrative groups and to set policies.
Topics:
- I am setting up the product for the first time, how do I get started?
- What configuration settings are available?
- What are the site settings?
- How do I set the software key?
- How do I edit groupings?
- How do I set thresholds?
- How do I change SNMP settings?
- How do I change sampling settings?
- How can I backup the configuration?
- Can I change the names associated with protocols?
- How do I ensure that clients and servers are correctly identified?
- How can I group similar protocols together?
- How do I control the length of history and disk space used to store history?
- How can I get events sent by email, RSS, SNMP traps or logged using syslog?
- Are there any other configuration settings available?
See Also:
I am setting up the product for the first time, how do I get started?
Step by step instructions for configuring Traffic Sentinel are provided in Tutorial: Configuring Traffic Sentinel.
What configuration settings are available?
The Traffic Sentinel configuration allows you to tell the server what to monitor and what settings to apply. Configuration settings include:
- How to divide up the network into a hierarchy of zones and groups to reflect your internal administrative domains.
- Where to find the switch and router agents, and talk to them with SNMP.
- What are the end-host subnets that make up the local IP address space on your network.
- What thresholds to apply, so that events are raised on excessive load conditions, or high error rates.
- What sampling rates to use for different link speeds (where sampling is configured automatically via SNMP).
The configuration is represented as an XML document on the server. You can choose to view and edit the XML directly, or you can use the graphical editor provided. In the Options pane you can select:
- Show to see a formatted representation of the current configuration.
- Edit to use the graphical editor to make changes.
- XML to download the XML configuration file, and upload it again after making your changes.
The configuration is represented as a hierarchical tree-structure:
- enterprise
- site
- zone
- group
- CIDR
- CIDR (IPv6)
- agent-range
- agent
- interface
- group
- zone
- site
Note: the term CIDR (Classless Inter-domain Routing) is used here to mean any IP subnet expressed in the form: address/mask-bits.
The enterprise and site levels are fixed, because one server is always responsible for just one site (even if this particular "site" spans several locations). The zone and group levels are abstract. There is no limit on how many can be defined, and they can be given any name. A common convention is to use zones to represent distinct locations, with groups being used to describe separate buildings or floors. It is also common to separate out the network core from the edge. A typical setup will divide the network into about ten zones. Within a zone, each groups can be a collection of CIDRs to descibe the end-host space, agents to identify individual switches or routers and agent-ranges to identify a range of addresses where switches or routers can be found. Specifying an interface is only ever needed if you want to override a setting just for that interface.
Note: this structure allows end-hosts and the devices that connect them to be logically grouped together, even if there is no overlap in the address space.
In addition to separating the address space and agents into a navigable tree, this structure also allows additional threshold, SNMP and sampling settings to be attached to the tree at any level. For example, a threshold setting applied to a zone will apply to all the interfaces that fall into that zone, unless the same threshold setting is overridden for a specific group, agent or interface.
What are the site settings?
The site settings are include the software key and license number and contact information for the server administrator. Settings can be changed on the Sentinel: File>Configure>Edit page by clicking on the Edit Site link. The following settings are available:
- Enterprise Name, the name of the company or organization that owns the network being monitored.
- Site Name, the name of the campus or city containing the devices being monitored.
- Server, the hostname of the server. This name cannot be changed from within Traffic Sentinel. Consult the documentation for the server operating system if you need to change the hostname. Note: the software key is tied to the hostname, so changing it will require a new key.
- Serial Number, the serial number associated with the software license. This must be the serial number provided with the software key.
- Software Key, the key used to unlock the software. The key is tied to a particular hostname and serial number. If you need to change the hostname then a new key will be required.
- Contact Name, the name of the person responsible for this server.
- Contact Location, the mailstop, address or building where the contact person can be reached.
- Contact Phone, the contact person's phone number.
- Days of Historical Data, the number of days to retain data.
- Mbytes of Free Disk Space, data will be automatically deleted (oldest first) if the disk partition fills up.
How do I set the software key?
The software key is set as part of the site settings. You can change the software key on the Sentinel: File>Configure>Edit page by clicking on the Edit Site link. You will need to set both the Software Key and the Serial Number. The software key is tied to the Server name. If the key doesn't match the server name then it will not be accepted.
If the software key is rejected you may get one of the following error messages:
- Bad key format, check to see that you have copied the key correctly.
- Bad server name or serial number, check to see if the Serial Number and Server name exactly match the values that were provided with your key. If the Server name does not match then you will need to change the hostname or request a new key. For information on changing the host name, see the FAQ entry How can I change the hostname to match the software key?
- Bad server time - check clock, the key is valid for a specific time interval. If your system clock is not set then the key will not be accepted.
- Expired, the key has expired and can no longer be used.
- CPU count exceeded, the server has more CPUs than they key allows.
How do I edit groupings?
You can change groupings from the Sentinel: File>Configure>Edit page by clicking one of the Groupings links (Edit Zones, Edit Groups, Edit CIDRs, Edit Agent Ranges, Edit Agents or Edit Interfaces). Groupings are constructed hierarchically, you must define zones before you can add groups to them. You must define groups before you can add CIDRs, Agent Ranges or Agents. You must define an Agent before you can add an Interface.
To edit groupings you can either click on the grouping name in the navigation bar at the top of the page, or click on the grouping option on the Index page. You will be presented with a list of groupings of the selected type. Click on the Edit button to modify a grouping, click on the Remove button to remove a grouping (and all the items it contains), finally click on the New button do define a new group.
When editing a group, click on any of the Edit buttons to edit sub-groups and settings.
Depending on the type of group you are editing, additional settings may be available:
CIDR
CIDRs are used to associate end-hosts with a Group. A CIDR is specified by an Address and the number of Mask Bits associated with the subnet mask. These do not have to match the subnets used by your routers, and they may overlap with each other too. For example, you might create a group "all" with the CIDR "128.141.0.0/16" in it, and then a separate group with the smaller CIDR "128.141.122.0/24". When assigning addresses to groups, the smallest enclosing CIDR is used. Grouping hosts in this way is useful when defining security rules (see Signatures>Configure), or when displaying traffic (seeTraffic>Circles).
- Group, the group where this CIDR will appear.
- Address, the IP address.
- Mask Bits, the number of mask bits to apply.
CIDR (IPv6)
IPv6 CIDRs are used to associate IPv6 hosts with a Group (see CIDR above).
Agent Range
An agent range describes a range of IP addresses that contain network devices to monitor.
- First Address, the first address in the range.
- Last Address, the last address in the range.
- Scan, indicates whether to search through this range looking for devices that can be configured to send sFlow using SNMP. The scan will happen automatically every night, but if you want your changes to take effect immediately you can initiate a new scan on the File>Control page.
- Override Control, this setting also relates to configuration using the sFlow MIB. If Override Control is set to Override then Traffic Sentinel will add itself as a monitoring receiver, even if that means taking over from another application.
- Enable, can be set to Disable to explicitly avoid discovering agents in this range, and to turn off monitoring on any agent in that range that might have been discovered before.
Agent Range (IPv6)
IPv6 agent ranges are used to describe a range of IPv6 addresses (see Agent Range above).
Agent
A network device to monitor (identified by its IP address).
- Group, the group where this agent will appear.
- Address. This is the address that will be used to communicate with the device's SNMP Agent.
- Override Control see Agent Range above.
- Enable see Agent Range above.
Agent (IPv6)
IPv6 agents are identified by an IPv6 address (see Agent above).
Interface
Interfaces only need to be specified if particular settings are to be applied to the interface, such as custom thresholds. Otherwise interfaces will be automatically discovered.
- Agent, the device whose interface is being specified.
- IfIndex, the MIB-II ifIndex number of the interface.
How do I set thresholds?
You can edit thresholds from the Sentinel: File>Configure>Edit page by clicking the Edit Threshold Settings or Edit Host Threshold Settings link. The two options apply thresholds to interface counters or host performance counters respecively.
Specify the Metric and a Limit, or value of the metric that will trigger the threshold. The Minutes over Threshold and Total Minutes settings are used to specify a duration over which the metric must exceed the limit before an alert is generated. For example, if Minutes over Limit was set to 5 and Total Minutes was set to 10 then an alert would result if the limit were exceeded 5 minutes in any 10 minute interval.
The Min. ifSpeed and Max. ifSpeed are used to limit the scope of the threshold to only links with particular speeds. The threshold will only be applied to interfaces that fall in the specified speed range. This allows different threshold settings to be applied depending on the interface speed.
Finally, the Enable flag can be used to Disable or Enable a particular threshold.
How do I change SNMP settings?
You can edit snmp settings from the Sentinel: File>Configure>Edit page by clicking one of the Edit SNMP Settings link.
An SNMP setting controls how the server will use SNMP to talk to the agents. The Read Community is used when scanning for agents in an Address Range. It is also used when polling counters or reading agent configuration. The Write Community is used when performing SNMP-SET operations. If a Write Community is not provided, the Read Community will be used for both GET and SET operations. Finally, the Enable flag can be used to Disable or Enable SNMP access to agents. SNMP is used to get interface names, agent information, and to poll counters from non-sFlow devices. Disabling SNMP is only recommended in situations where there is no interest in managing the device.
The settings User, Auth. Protocol, Auth. Password, Priv. Protocol, and Priv. Password are only necessary if SNMPv3 is used. Omit the Auth. Password if you don't want to use authentication. Omit the Priv. Password if you don't want to use privacy.
How do I change sampling settings?
You can edit sampling settings from the Sentinel: File>Configure>Edit page by clicking one of the Edit Sampling Settings link.
The sampling setting specifies the packet sampling rate that will be used when configuring an agent using the sFlow (or XRMON) MIB. The Sampling Rate determines the fraction of packets sampled. For example, a value of 100 would mean that, on average, 1 in every 100 packets would be sampled. The Min. ifSpeed and Max. ifSpeed settings allow different sampling rates to be set for interfaces depending on their speeds. An interface will match the first entry for which the condition Min <= ifSpeed < Max is satisfied. Generally, larger Sampling Rate settings are used for faster interfaces. The default settings are usually adequate and provide a useful guide when manually configuring sampling using the CLI.
If sFlow has been configured on the agent using its CLI then this parameter will have no effect. The sampling rate configured on the agent will be adopted and will override any setting made here.
Similarly, if the agent is sending IPFIX or NetFlow flow records, then the packet sampling rate being used on the agent will usually be indicated in a field in the data packets. In that case also, the sampling rate configured on the agent will be adopted.
However if the NetFlow/IPFIX agent does not indicate that any packet sampling has been applied on the agent, then the sampling rate setting configured here will be applied. It is applied so that the results are equivalent to that packet sampling rate being applied on the agent prior to the flow-cache.
Finally, if the agent is using packet sampling but is not indicating that sampling rate in the data packets, then you must specify the Pre-Sampled Rate to match the sampling rate that you know is being used on the agent. Otherwise the results will be undercounted by that factor.
How can I backup the configuration?
You can download the configuration file from the Sentinel: File>Configure>XML page. Click on the Download link and save a copy of the configuration file. You can reinstall this file by entering its path in the Install XML Configuration File box and clicking Submit.
Can I change the names associated with protocols?
The file /usr/local/inmsf/etc/config/protocols.txt contains names for well known protocol numbers.
You can view or change the protocols.txt file on the Sentinel:File>Logs page.
How do I ensure that clients and servers are correctly identified?
The file /usr/local/inmsf/etc/config/protocolPriorities.txt controls the priority ordering of TCP and UDP ports. It is used to determine which end of a connection was the client and which was the server. When comparing the source and destination port numbers in a flow, the port with the higher priority (the one appearing earlier in the list) is assumed to be the server port.
You can view or change the protocolPriorities.txt file on the Sentinel:File>Logs page.
How can I group similar protocols together?
The file /usr/local/inmsf/etc/config/protocolGroups.txt
is used to classify and name groups of protocols. The format of each line is:
name,protocol,port-range,[,port-range...]
The semicolon character ";" is used to indicate a comment.
You can view or change the protocoGroups.txt file on the Sentinel:File>Logs page.
How do I control the length of history and disk space used to store history?
Two parameters: Days of History Data and Mbytes of Free Disk Space are used to manage data retention. These parameters are set in the Site Settings form.
How can I get events sent by email, RSS, SNMP traps or logged using syslog?
Any events that appear under Sentinel: Events>List can be forwarded via:
- RSS feed
- system log
- SNMP trap
To use the RSS field, simply select the event list that you want to follow, then click the button.
The other event forwarding options are configured on the Sentinel: File>Forwarding page.
Are there any other configuration settings available?
Each line in the configuration text file /usr/local/inmsf/etc/config/global.prefs has the format:
variable = value
with the semicolon character ';' being used to indicate comment fields.
You can view or change the global.prefs settings using the Sentinel:File>Logs page.
These settings are only read when a process starts. Some processes run continuously, so they may have to be restarted before a new setting can take effect. The Sentinel: File>Control page allows either the data collection or the web server processes to be restarted. In the table below, the "Restart" column indicates which restart (if any) is required:
Setting | Default Value | Description | Restart |
---|---|---|---|
dns.localsuffix | <not set> | If set to ".mycompany.com" then DNS names with this suffix will be displayed in their short form (with this suffix removed). | web server |
SNMPCounterPollInterval | 30 (seconds) | Unless overridden in the XML configuration file, this is the polling interval used to poll interface counters from an agent via SNMP. | data collection and web server |
SFlowSamplePort | 6343 | UDP port to listen on for sFlow® | data collection and web server |
IPFIXPort | 4739 | UDP port to listen on for IPFIX | data collection and web server |
NetFlowPort | 9985 | UDP port to listen on for NetFlow™ (version 1,5,7 or 9) | data collection and web server |
SFlowMIBSamplePort | 26343 | UDP port used for sFlow MIB data (configured automatically via SNMP) | data collection and web server |
XRMONSamplePort | 19985 | UDP port used for Hewlett Packard XRMON data (configured automatically via SNMP) | data collection and web server |
session.timeout | 1800 (seconds) | If your session is idle for this long, then it will terminate and you will have to log in again. | |
chart.topn.color.<n> | Default colors to use for data series in Top N and Circles charts, n=0 is first data series. | web server | |
chart.trend.color.<n> | Default colors to use for data series in Trend charts, n=0 is first data series. | web server | |
report.readurl.protocol.http | YES | Set to NO to disable report script access to URLs starting with "http". | web server |
report.readurl.protocol.https | YES | Set to NO to disable report script access to URLs starting with "https". | web server |
report.readurl.protocol.file | NO | Set to YES to allow report script access to URLs starting with "file". | web server |
report.readurl.protocol.file.path | <not set> | If set to a directory path, then only files within that path can be read. | web server |
report.write.allow | NO | Set to YES to allow report scripts to write files. | web server |
report.write.path | <not set> | If set to a directory path, then only files within that path can be written. | web server |
report.runcmd.allow | NO | Set to YES to allow report scripts to run shell commands. | web server |
report.clifunctions.allow | NO | Set to YES to allow report scripts to run all CLI privilege level commands. | web server |
report.chart.<type>.alpha | 1.0 | Default chart transparency. | web server |
report.chart.<type>.threeD | NO | Default chart 3d appearance. | web server |
report.chart.<type>.backgroundColor | white | Default chart background color. | web server |
report.chart.<type>.plotColor | light_gray | Default chart plot area color. | web server |
report.chart.<type>.axisColor | black | Default chart axis color. | web server |
report.chart.<type>.tickmarkColor | dark_gray | Default chart axis tick mark color. | web server |
report.chart.<type>.gridColor | white | Default chart grid color. | web server |
report.chart.<type>.height | 300 | Default chart height. | web server |
report.chart.<type>.width | trend=800,default=400 | Default chart height. | web server |
report.chart.trend.step | NO | Default appearance of trend lines. | web server |
report.chart.color.<n> | Default colors to use for data series, n=0 is first data series. | web server | |
report.chart.format | png | Image encoding for charts, options are png, gif or jpeg. | web server |
mail.chart.format | <not set> | Override report.chart.format setting for emailed reports. | web server |
mailfrom | <user@server> | Override from address for emailed events and reports. | web server |
event.url.host | <not set> | Override the hostname in URLs linking back to Traffic Sentinel | web server |
event.url.scheme | http | Set the scheme in URLs linking back to Traffic Sentinel | web server |
event.url.port | <not set> | Override the port in URLs linking back to Traffic Sentinel | web server |
interface.name | ifName | Controls how interfaces are named. Valid settings are ifName, ifAlias, ifDescr or ifIndex (or a comma separated list of these in order of preference). | web server |
agent.name | sysName | Controls how agents are named. Valid settings are sysName, DNS, or IP. | data collection and web server |
link.agent.label.0 | <not set> | Specify the name of the a link to be added to the Search > Agent/Interface page. | web server |
link.agent.url.0 | <not set> | Specify a link to be added to the Search > Agent/Interface page. The token {0} in the URL string will be replaced by the agent IP address. | web server |
link.interface.label.0 | <not set> | Specify the name of the a link to be added to the Search > Agent/Interface page. | web server |
link.interface.url.0 | <not set> | Specify a link to be added to the Search > Agent/Interface page. The token {0} in the URL string will be replaced by the agent IP address and the token {1} will be replaced by the ifIndex. | web server |
link.host.ipv4.label.0 | <not set> | Specify the name of the a link to be added to the Search > Host page. | web server |
link.host.ipv4.url.0 | <not set> | Specify a link to be added to the Search > Host page. The token {0} in the URL string will be replaced by the host IP address. | web server |
link.host.ipv6.label.0 | <not set> | Specify the name of the a link to be added to the Search > Host page. | web server |
link.host.ipv6.url.0 | <not set> | Specify a link to be added to the Search > Host page. The token {0} in the URL string will be replace d by the host IPv6 address. | web server |
link.host.mac.label.0 | <not set> | Specify the name of the a link to be added to the Search > Host page. | web server |
link.host.mac.url.0 | <not set> | Specify a link to be added to the Search > Host page. The token {0} in the URL string will be replaced by the host MAC address. | web server |
link.protocol.label.0 | <not set> | Specify the name of the a link to be added to the Search > Protocol page. | web server |
link.protocol.url.0 | <not set> | Specify a link to be added to the Search > Protocol page. The token {0} in the URL string will be replaced by the protocol and the {1} token will be replaced by the port number. | web server |
report.snmp.allow | YES | Allow snmp requests to be made from report templates and scripts. | web server |
search.snmp.allow | YES | Allow snmp requests to be made in Search > Host. | web server |
search.ssh.user | <not set> | Create ssh link in Search>Agent/Interface page using the specified username. | web server |
config.topbuttonthreshold | 20 | Number of items in configuration list before buttons will be displayed on top of form. | web server |
radius.authport | 1812 | Set the UDP port for RADIUS authentication requests. | web server |
radius.timeout | 5 | Number of seconds to wait for a response to a RADIUS request. | web server |
radius.retries | 3 | Number of RADIUS requests to send before giving up on authenticating a user. | web server |
Threshold.exclude.ifType | 1-3,72-116,118-160,162-200 | Thresholds will be ignored for these interface types (e.g. "53,135"). | data collection |