Advanced
This page contains detailed configuration and tuning parameters. What goes on under the hood.
Configuring Trisul for IPDR
At ISP scale storing every single flow is a processor and disk intensive task. Hence this configuration cannot be mixed with the NetFlow Traffic and Security Analytics feature except for very small ISPs. This section contains configuration tips to optimize this feature.
Use compressor lz4-ipv4-call-log-with-nat
Use a new flow compressor specifically designed for IPDR flow log. This high performance compressor can store a flow with NAT in as little as 14 bytes.
Open the trisulHubConfig.xml file and specify the following in Advanced DB Parameters.
- Use a new compressor
lz4-ipv4-call-log-with-nat - Disable microsecond timestamps
<DBParameters>
<FlowStream>
<MicroSecondTimestamps>false</MicroSecondTimestamps>
<ZFLOWBLOCK_COMPRESSOR_CODE>lz4-ipv4-call-log-with-nat</ZFLOWBLOCK_COMPRESSOR_CODE>
...
The trisul-ipdr Query Service
The Trisul IPDR package comes with a powerful async query service called
trisul-ipdr The features of this service are
- Asynchronous - you can submit multiple long running queries for IP and then download the results when done
- Results - the results will be in compliance format including the full IP details as well as the NAT (if applicable)
- Dashboard - dashboard shows running queries, completed queries, and download results
- Cancel - allows cancel of long running queries, number of records are constantly updated
- Audit log - all query submits including user name, submit time, submit params are stored in audit log
- Statistics - Dashboard also shows important statistics about Total BW, Number of flows/min, DB growth etc.
- Automatic FTP - for query dumps that are huge, the service automatically FTP’s results to a separate secure FTP server
To start this service
systemctl start trisul-ipdr
Workflow
The system is designed to create a special login to the agent who will
be performing the queries. This login has no other privileges other than
to perform the query required for compliance. The powerful trisul_ipdr
service described above ensures the data is provided as a download or
pushed directly to a Secure FTP (SFTP) server. Sometimes we have noticed
agent requests resulting in several GB of output which cannot be downloaded over a browser. See Configure IPDR Settings on how to setup the SFTP server.
The following diagram shows the workflow
Figure: Agent login, submit, download, FTP workflow
Agent login with special ID
The agent is given a separate login and password with a dashboard that shows only one option to retrieve IPDR logs. Once logged in the agent can submit query using Trisul IPDR Query form and view the IPDR dashboard for the queried IP addresses. The IPDR reports are then downloaded from web browser or FTP server.
Tuning
We suggest the following configuration parameters for a minimal IPDR deployment.
| Config file | Parameter | Set this to | Notes |
|---|---|---|---|
| Netflow config | AppMode | ipdr | Sets the Netflow processing to IPDR mode |
| Hub Config | DBParameters > FlowStream > AppMode | lz4-ip-call-log-with-nat-pro-max | Sets the database schema and compression code to pro-max mode |
| Probe Config file | Tuning > DisableFlowTupleFeedback | true | Disables monitoring of flow tuples by IP and Application. If this is enabled, there will be connection metrics for every IP and App, could waste disk space for IPDR |
| Probe Config file | Edges > EnableFlowEdges | false | Disable Edge graph generation for space savings |