Settings

Default configuration can be changed via environment variables in /srv/collector/.env file (learn more).

Flow Collection

IPv4

  • COLLECTOR_NETFLOW_V5_PORT (default: 9555): the port used to receive NetFlow v5 protocol packets.
  • COLLECTOR_NETFLOW_V9_PORT (defalt: 9995): the port used to receive NetFlow v9 protocol packets.
  • COLLECTOR_IPFIX_UDP_PORT (default: 4739): the port used to receive IPFIX protocol packets over UDP.
  • COLLECTOR_IPFIX_TCP_PORT (default: 4739): the port used to receive IPFIX protocol packets over TCP.
  • COLLECTOR_SFLOW_PORT (default: 6343): the port used to receive sFlow v5 protocol packets.

IPv6

Ports for IPv6 traffic are set automatically to one above than the port for IPv4. For example, port 9556 will be used for NetFlow v5 over IPv6.

ClickHouse

Collector saves flow from incoming packets to ClickHouse located using:

  • COLLECTOR_CLICKHOUSE_ADDRESS (default: clickhouse.mitigator:9000): address and port of the ClickHouse server.

By default, ClickHouse is configured to work on the server minimum configuration.
In order for ClickHouse to efficiently and safely use the entire available amount of RAM, you need to configure its limits.

  • COLLECTOR_CLICKHOUSE_RAM_RATIO_MAX (default: 0.7): the ratio to physical RAM for ClickHouse server amount of RAM used.
    Recommended value: 0.7.
    If ClickHouse on a single server - 0.9.

For example, 32 Gb of RAM is installed on the machine, the RAM limit for the ClickHouse server is 20.8 Gb:
COLLECTOR_CLICKHOUSE_RAM_RATIO_MAX=0.65

  • COLLECTOR_CLICKHOUSE_QUERY_RAM_MAX (default: 10Gi): the maximum amount of RAM to use for running a query on a single server.

For example, 32 Gb of RAM is installed on the machine, the RAM limit for the ClickHouse server is 22.4 Gb, the RAM limit for one query is 1 Gb:

COLLECTOR_CLICKHOUSE_RAM_RATIO_MAX=0.7
COLLECTOR_CLICKHOUSE_QUERY_RAM_MAX=1Gi

When viewing the Flow Analysis tab of the MITIGATOR Web interface, one user creates up to six parallel queries.

In this configuration, 12 queries from two users Web interface can be processed in parallel. The execution of the query is interrupted if the amount of RAM required is greater than the set limit.
For the internal functions of the ClickHouse server (inserting data, background data processing), at least 10.4 Gb remains.

MITIGATOR Integration

Grafana

Grafana is used to display the metrics gathered by Collector. Grafana runs on port 3000, which can be accessed via a browser.

Default login/password: admin/admin.

At the first launch, select Data Sources, then select Collector.