Nagios Support Forum

I have network analyzer set up and flows worked for awhile and then quit. It looks like flows are coming in and everything is populating but no data is shown for the devices. Latest version installed.

tcpdump shows data is coming in.

cat /etc/sudoers.d/nna_conf
Defaults:%nnacmd !requiretty

Host_Alias HOST = localhost

Cmnd_Alias LIST = /sbin/iptables --list
Cmnd_Alias SAVE = /etc/init.d/iptables save
Cmnd_Alias UPDATE = /sbin/iptables -I INPUT -p udp -j ACCEPT --dport *
Cmnd_Alias DAEMON = /usr/local/nagiosna/bin/nagiosna *

%nnacmd ALL=(ALL) NOPASSWD:LIST
%nnacmd ALL=(ALL) NOPASSWD:SAVE
%nnacmd ALL=(ALL) NOPASSWD:UPDATE
%nnacmd ALL=(ALL) NOPASSWD:/bin/kill *
%nnacmd ALL=(ALL) NOPASSWD:DAEMON

ps aux |grep nna
nna 1968 0.0 0.0 17848 4844 ? S Aug20 0:01 /usr/local/bin/nfcapd -I 1 -l /usr/local/nagiosna/var/dxxxxxxxx.com/flows -p 9990 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/dxxxxxxxx.com/9990.pid -D -e -w -z


tail -100 /usr/local/nagiosna/var/backend.log
2014-09-11 15:00:10 INFO : Ran checks successfully
2014-09-11 15:00:10 INFO : Successfully reaped nfcapd file.
2014-09-11 15:00:10 INFO : Parsing data for the source id: 2
2014-09-11 15:00:10 DEBUG : Arguments: /usr/local/nagiosna/var/xxxxxxxx.com/flows, nfcapd.201409111455, 2
2014-09-11 15:00:10 DEBUG : Running checks...
2014-09-11 15:00:10 DEBUG : Getting relevant checks for source id: 2
2014-09-11 15:00:10 DEBUG : Checks found: ()
2014-09-11 15:00:10 INFO : Ran checks successfully
2014-09-11 15:00:10 INFO : Successfully reaped nfcapd file.
2014-09-11 15:00:10 INFO : Parsing data for the source id: 3
2014-09-11 15:00:10 DEBUG : Arguments: /usr/local/nagiosna/var/xxxxxxxxx/flows, nfcapd.201409111455, 3


ls -l /usr/local/nagiosna/var/xxxxxxxxx/
total 1236
-rw-r--r--+ 1 nna nnacmd 5 Sep 11 14:47 9010.pid
-rw-rw-r--+ 1 nna nnacmd 1255360 Sep 11 10:26 bandwidth.rrd
drwxrwsr-x+ 2 nna nnacmd 4096 Sep 11 15:25 flows



ls -l /usr/local/nagiosna/var/xxxxxxxxxxxxx/flows
total 244
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 10:30 nfcapd.201409111025
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 10:35 nfcapd.201409111030
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 10:40 nfcapd.201409111035
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 10:45 nfcapd.201409111040
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 10:50 nfcapd.201409111045
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 10:55 nfcapd.201409111050
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 11:00 nfcapd.201409111055
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 11:05 nfcapd.201409111100
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 11:10 nfcapd.201409111105
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 11:15 nfcapd.201409111110
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 11:20 nfcapd.201409111115
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 11:25 nfcapd.201409111120
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 11:30 nfcapd.201409111125
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 11:35 nfcapd.201409111130
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 11:40 nfcapd.201409111135
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 11:45 nfcapd.201409111140
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 11:50 nfcapd.201409111145
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 11:55 nfcapd.201409111150
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 12:00 nfcapd.201409111155
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 12:05 nfcapd.201409111200
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 12:10 nfcapd.201409111205
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 12:15 nfcapd.201409111210
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 12:20 nfcapd.201409111215
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 12:25 nfcapd.201409111220
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 12:30 nfcapd.201409111225
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 12:35 nfcapd.201409111230
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 12:40 nfcapd.201409111235
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 12:45 nfcapd.201409111240
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 12:50 nfcapd.201409111245
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 12:55 nfcapd.201409111250
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 13:00 nfcapd.201409111255
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 13:05 nfcapd.201409111300
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 13:10 nfcapd.201409111305
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 13:15 nfcapd.201409111310
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 13:20 nfcapd.201409111315
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 13:25 nfcapd.201409111320
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 13:30 nfcapd.201409111325
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 13:35 nfcapd.201409111330
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 13:40 nfcapd.201409111335
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 13:45 nfcapd.201409111340
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 13:50 nfcapd.201409111345
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 13:55 nfcapd.201409111350
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 14:00 nfcapd.201409111355
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 14:05 nfcapd.201409111400
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 14:10 nfcapd.201409111405
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 14:15 nfcapd.201409111410
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 14:20 nfcapd.201409111415
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 14:25 nfcapd.201409111420
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 14:30 nfcapd.201409111425
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 14:35 nfcapd.201409111430
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 14:40 nfcapd.201409111435
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 14:45 nfcapd.201409111440
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 14:50 nfcapd.201409111445
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 14:55 nfcapd.201409111450
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 15:00 nfcapd.201409111455
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 15:05 nfcapd.201409111500
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 15:10 nfcapd.201409111505
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 15:15 nfcapd.201409111510
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 15:20 nfcapd.201409111515
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 15:25 nfcapd.201409111520
-rw-r--r--+ 1 nna nnacmd 276 Sep 11 15:25 nfcapd.current.2569

Mike,

Someone else has a similar issue and I just wanted to copy my response for you too, if we could get a little more data it would really help!

Can you please link your apache error_log after you click into the source? It may be permissions issues on the RRD file. The actual nfcpad data is being stored in it's own files which makes up the reports, queries, and top talkers while the bandwidth graph is made using the RRD file. If it can't read it or there's an error somewhere, it would return no data.

Here are the logs for apache when clicking on the source: (both access and error logs)

- - [11/Sep/2014:16:10:13 -0600] "POST /nagiosna/index.php/api/reports/execute_anonymous HTTP/1.1" 200 29 "http://xxxxxxx.com/nagiosna/index.php/sources/3" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Firefox/31.0"
- - [11/Sep/2014:16:10:13 -0600] "POST /nagiosna/index.php/api/reports/execute_anonymous HTTP/1.1" 200 29 "http://xxxxxxxx.com/nagiosna/index.php/sources/3" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Firefox/31.0"
- - [11/Sep/2014:16:10:13 -0600] "POST /nagiosna/index.php/api/system/source_status HTTP/1.1" 200 200 "http://xxxxxxxxxxxx.com/nagiosna/index.php/sources/3" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Firefox/31.0"

File does not exist: /var/www/html/favicon.ico

Well if that's both logs, there isn't anything bad going on there. I notice the + on the end of your permissions, do you have selinux setup on this machine, and if so what are the nna app and files selinux contexts?

No selinux...it is disabled.

Mike, have you changed the port on this source? I noticed you are using port 9990:

ps aux |grep nna
nna 1968 0.0 0.0 17848 4844 ? S Aug20 0:01 /usr/local/bin/nfcapd -I 1 -l /usr/local/nagiosna/var/dxxxxxxxx.com/flows -p 9990 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/dxxxxxxxx.com/9990.pid -D -e -w -z

... but here, it seems like you've been using 9010...

s -l /usr/local/nagiosna/var/xxxxxxxxx/
total 1236
-rw-r--r--+ 1 nna nnacmd 5 Sep 11 14:47 9010.pid
-rw-rw-r--+ 1 nna nnacmd 1255360 Sep 11 10:26 bandwidth.rrd
drwxrwsr-x+ 2 nna nnacmd 4096 Sep 11 15:25 flows

Can you run the following commands and show us the output?
Click on the source in the NNA web UI, and show us a screenshot of this page (hide sensitive info).

Yes the port was changed and other ports added as well (several admins on this at once):

ps -ef | grep nna | grep 9010
nna 1968 1 0 Aug20 ? 00:00:01 /usr/local/bin/nfcapd -I 1 -l /usr/local/nagiosna/var/xxxxxxxxxxx.com/flows -p 9010 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/xxxxxxx.com/9010.pid -D -e -w -z
nna 1969 1968 0 Aug20 ? 00:00:10 /usr/local/bin/nfcapd -I 1 -l /usr/local/nagiosna/var/xxxxxxxxx.com/flows -p 9010 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/xxxxxxxxxx.com/9010.pid -D -e -w -z

ps -ef | grep nna | grep 9990

iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:9990
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:9010
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:9003
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:9991

ps -ef | grep nna | grep 9990

Didn't you get any output? Is nna listening on 9990?

Click on the source in the NNA web UI, and show us a screenshot of this page (hide sensitive info).

I wanted to see the PID in the upper right corner.

Note: I tested changing the port on my test box (Nagios Network Analyzer 2014R1.9) and it seemed to work fine. I had "No Data" for a short time, but it all came back.

There is something else going on here....we are asking network staff to see if the firewall is blocking any communication, I will update when I find out.

Great, keep us up to date in case that may be the issue.