Empty Top Talkers and Data?

CFT6Server · Post by **CFT6Server** » Fri Dec 09, 2016 12:25 pm

We have an instance of Network Analyzer running and looks like the Top Talkers or any report for that matter is not working. The graphs shows that there are data, but we are not seeing anything in terms of destination/source/etc. Please advise.

empty.JPG

report.JPG

The flow data is there...

flow.JPG

ssax · Post by **ssax** » Fri Dec 09, 2016 2:29 pm

Please run this command (and let it run):

Code: Select all

tail -f /var/log/httpd/*

Then reproduce the issue and send us the entire output of the tail command.

Thank you

Post by **tgriep** » Fri Dec 09, 2016 2:33 pm

The biggest cause of what you are seeing it that the time between the NNA server and the device are out of sync.
Verify that the time and timezone are correct on both the device and the NNA server and that should start the table data to be collected.

CFT6Server · Post by **CFT6Server** » Fri Dec 09, 2016 2:59 pm

Code: Select all

==> /var/log/httpd/ssl_access_log <==
10.242.13.10 - - [09/Dec/2016:11:55:16 -0800] "POST /nagiosna/index.php/api/system/source_status HTTP/1.1" 200 189

==> /var/log/httpd/ssl_request_log <==
[09/Dec/2016:11:55:16 -0800] 10.242.13.10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "POST /nagiosna/index.php/api/system/source_status HTTP/1.1" 189

==> /var/log/httpd/ssl_access_log <==
10.242.13.10 - - [09/Dec/2016:11:55:16 -0800] "GET /nagiosna/index.php/api/reports/execute_anonymous?q%5Btop%5D=5&q%5Btoporder%5D=bytes&q%5Btoptype%5D=srcport&q%5Bbegindate%5D=-2+hours&q%5Benddate%5D=-1+second&q%5Bsid%5D=2 HTTP/1.1" 200 351

==> /var/log/httpd/ssl_request_log <==
[09/Dec/2016:11:55:16 -0800] 10.242.13.10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /nagiosna/index.php/api/reports/execute_anonymous?q%5Btop%5D=5&q%5Btoporder%5D=bytes&q%5Btoptype%5D=srcport&q%5Bbegindate%5D=-2+hours&q%5Benddate%5D=-1+second&q%5Bsid%5D=2 HTTP/1.1" 351

==> /var/log/httpd/ssl_access_log <==
10.242.13.10 - - [09/Dec/2016:11:55:17 -0800] "GET /nagiosna/media/favicon.ico HTTP/1.1" 200 822

==> /var/log/httpd/ssl_request_log <==
[09/Dec/2016:11:55:17 -0800] 10.242.13.10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /nagiosna/media/favicon.ico HTTP/1.1" 822

==> /var/log/httpd/ssl_access_log <==
10.242.13.10 - - [09/Dec/2016:11:55:16 -0800] "GET /nagiosna/index.php/api/reports/execute_anonymous?q%5Btop%5D=5&q%5Btoporder%5D=bytes&q%5Btoptype%5D=dstip&q%5Bbegindate%5D=-2+hours&q%5Benddate%5D=-1+second&q%5Bsid%5D=2 HTTP/1.1" 200 349

==> /var/log/httpd/ssl_request_log <==
[09/Dec/2016:11:55:16 -0800] 10.242.13.10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /nagiosna/index.php/api/reports/execute_anonymous?q%5Btop%5D=5&q%5Btoporder%5D=bytes&q%5Btoptype%5D=dstip&q%5Bbegindate%5D=-2+hours&q%5Benddate%5D=-1+second&q%5Bsid%5D=2 HTTP/1.1" 349

==> /var/log/httpd/ssl_access_log <==
10.242.13.10 - - [09/Dec/2016:11:55:16 -0800] "GET /nagiosna/index.php/api/graphs/execute?begindate=-2%2520hours&enddate=-1%2520second&q%5BBytes%5D=bytes&q%5BFlows%5D=flows&q%5BPackets%5D=packets&q%5BBytes%2FSec%5D=bps&sid=2 HTTP/1.1" 200 1322

==> /var/log/httpd/ssl_request_log <==
[09/Dec/2016:11:55:16 -0800] 10.242.13.10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /nagiosna/index.php/api/graphs/execute?begindate=-2%2520hours&enddate=-1%2520second&q%5BBytes%5D=bytes&q%5BFlows%5D=flows&q%5BPackets%5D=packets&q%5BBytes%2FSec%5D=bps&sid=2 HTTP/1.1" 1322

==> /var/log/httpd/ssl_access_log <==
10.242.13.10 - - [09/Dec/2016:11:55:16 -0800] "POST /nagiosna/index.php/api/views/get_views HTTP/1.1" 200 2

==> /var/log/httpd/ssl_request_log <==
[09/Dec/2016:11:55:16 -0800] 10.242.13.10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "POST /nagiosna/index.php/api/views/get_views HTTP/1.1" 2

==> /var/log/httpd/ssl_access_log <==
10.242.13.10 - - [09/Dec/2016:11:55:16 -0800] "GET /nagiosna/index.php/api/reports/execute_anonymous?q%5Btop%5D=5&q%5Btoporder%5D=bytes&q%5Btoptype%5D=dstport&q%5Bbegindate%5D=-2+hours&q%5Benddate%5D=-1+second&q%5Bsid%5D=2 HTTP/1.1" 200 351

==> /var/log/httpd/ssl_request_log <==
[09/Dec/2016:11:55:16 -0800] 10.242.13.10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /nagiosna/index.php/api/reports/execute_anonymous?q%5Btop%5D=5&q%5Btoporder%5D=bytes&q%5Btoptype%5D=dstport&q%5Bbegindate%5D=-2+hours&q%5Benddate%5D=-1+second&q%5Bsid%5D=2 HTTP/1.1" 351

==> /var/log/httpd/ssl_access_log <==
10.242.13.10 - - [09/Dec/2016:11:55:16 -0800] "GET /nagiosna/index.php/api/reports/execute_anonymous?q%5Btop%5D=5&q%5Btoporder%5D=bytes&q%5Btoptype%5D=srcip&q%5Bbegindate%5D=-2+hours&q%5Benddate%5D=-1+second&q%5Bsid%5D=2 HTTP/1.1" 200 349

==> /var/log/httpd/ssl_request_log <==
[09/Dec/2016:11:55:16 -0800] 10.242.13.10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /nagiosna/index.php/api/reports/execute_anonymous?q%5Btop%5D=5&q%5Btoporder%5D=bytes&q%5Btoptype%5D=srcip&q%5Bbegindate%5D=-2+hours&q%5Benddate%5D=-1+second&q%5Bsid%5D=2 HTTP/1.1" 349

ssax wrote:Please run this command (and let it run):
Code: Select all
tail -f /var/log/httpd/*
Then reproduce the issue and send us the entire output of the tail command.

Thank you

ssax · Post by **ssax** » Fri Dec 09, 2016 3:02 pm

Please check the time on the remote device (as tgriep mentioned) and also include the output of these commands (on the NNA server):

Code: Select all

date
ls -l /etc/localtime
php -r 'echo date("D M j G:i:s T Y")."\n";'
grep "date.timezone =" /etc/php.ini

Thank you

CFT6Server · Post by **CFT6Server** » Fri Dec 09, 2016 3:22 pm

tgriep wrote:The biggest cause of what you are seeing it that the time between the NNA server and the device are out of sync.
Verify that the time and timezone are correct on both the device and the NNA server and that should start the table data to be collected.

Date seems to be matching. Does it have to be exact? ie using NTP?

CFT6Server · Post by **CFT6Server** » Fri Dec 09, 2016 3:26 pm

[root@cgxnagna01 ~]# date
Fri Dec 9 12:22:04 PST 2016
[root@cgxnagna01 ~]# ls -l /etc/localtime
lrwxrwxrwx 1 root root 39 Dec 8 17:02 /etc/localtime -> /usr/share/zoneinfo/America/Los_Angeles
[root@cgxnagna01 ~]# php -r 'echo date("D M j G:i:s T Y")."\n";'
Fri Dec 9 12:22:04 PST 2016
[root@cgxnagna01 ~]# grep "date.timezone =" /etc/php.ini
date.timezone = America/Los_Angeles
[root@cgxnagna01 ~]#

ssax wrote:Please check the time on the remote device (as tgriep mentioned) and also include the output of these commands (on the NNA server):
Code: Select all
date
ls -l /etc/localtime
php -r 'echo date("D M j G:i:s T Y")."\n";'
grep "date.timezone =" /etc/php.ini
Thank you

Post by **tgriep** » Mon Dec 12, 2016 12:55 pm

The date and time have to be fairly close between the NNA server and the device for this to work correctly.
You can enable NTP on the NNA server so it will stay in time sync.
What is the make and model number of the device that is sending the Netflow data to the NNA server?
Can you post a few of the nfcapd files for that source so we can see what is being captured in them?
Thanks

CFT6Server · Post by **CFT6Server** » Mon Dec 12, 2016 1:16 pm

So using Nfdump, I was able to take a peak at the flow data and confirmed that the device sending the data is not configured with proper dates. Thanks!

Code: Select all

[root@ flows]# nfdump -r nfcapd.201612120910 -c 10
Date first seen          Event  XEvent Proto      Src IP Addr:Port          Dst IP Addr:Port     X-Src IP Addr:Port        X-Dst IP Addr:Port   In Byte Out Byte
1969-12-31 16:00:00.010 IGNORE  Ignore TCP       10.62.12.110:53330 ->      10.65.68.13:2383           0.0.0.0:0     ->          0.0.0.0:0        13274        0
1969-12-31 16:00:00.010 IGNORE  Ignore TCP        10.62.11.49:135   ->      10.65.64.67:58190          0.0.0.0:0     ->          0.0.0.0:0         2264        0
1969-12-31 16:00:00.010 IGNORE  Ignore UDP      10.60.217.108:50515 ->       10.65.64.1:389            0.0.0.0:0     ->          0.0.0.0:0          275        0
1969-12-31 16:00:00.010 IGNORE  Ignore UDP        10.62.11.43:53    ->      10.65.32.10:57307          0.0.0.0:0     ->          0.0.0.0:0           89        0
1969-12-31 16:00:00.010 IGNORE  Ignore UDP          10.65.1.2:161   ->      10.65.32.10:51469          0.0.0.0:0     ->          0.0.0.0:0          137        0
1969-12-31 16:00:00.010 IGNORE  Ignore UDP        10.62.11.43:53    ->       10.65.67.2:55643          0.0.0.0:0     ->          0.0.0.0:0          127        0
1969-12-31 16:00:00.010 IGNORE  Ignore TCP      10.60.217.108:54049 ->       10.65.64.1:389            0.0.0.0:0     ->          0.0.0.0:0           52        0
1969-12-31 16:00:00.010 IGNORE  Ignore UDP      10.60.217.108:61365 ->       10.65.64.1:53             0.0.0.0:0     ->          0.0.0.0:0           84        0
1969-12-31 16:00:00.010 IGNORE  Ignore TCP       10.62.12.110:53458 ->      10.65.68.13:2382           0.0.0.0:0     ->          0.0.0.0:0         1700        0
1969-12-31 16:00:00.010 IGNORE  Ignore TCP       10.62.12.110:53459 ->      10.65.68.13:2383           0.0.0.0:0     ->          0.0.0.0:0        12362        0
Summary: total flows: 10, total bytes: 30364, total packets: 44, avg bps: 0, avg pps: 0, avg bpp: 0
Time window: 2016-12-12 09:10:00 - 2016-12-12 09:15:00
Total flows processed: 13795, Blocks skipped: 0, Bytes read: 1048576
Sys: 0.000s flows/second: 13808808.8 Wall: 0.001s flows/second: 8458001.2

bwallace · Post by **bwallace** » Mon Dec 12, 2016 1:55 pm

Thanks for that update and glad to hear you identified the problem. Are we good to lock this thread now or did you have additional questions?

Nagios Support Forum

Empty Top Talkers and Data?

Empty Top Talkers and Data?

Re: Empty Top Talkers and Data?

Re: Empty Top Talkers and Data?

Re: Empty Top Talkers and Data?

Re: Empty Top Talkers and Data?

Re: Empty Top Talkers and Data?

Re: Empty Top Talkers and Data?

Re: Empty Top Talkers and Data?

Re: Empty Top Talkers and Data?

Re: Empty Top Talkers and Data?