NFO Server & Controller Logs
Log File Reference
NFO logs are located in $NFO_HOME/logs, while Controller and Tomcat logs are in $NFO_HOME/tomcat/logs.
NFO Engine & Controller Logs
| Log File Name | Source | Description |
|---|---|---|
nfc_server.<timestamp>.log | Engine | Primary Log. NFO core process events, enabled modules, and processing errors. |
server.<timestamp>.log | Engine | Startup logs and redirected process standard output. |
process.log<.#> | Engine | CPU/Memory usage and statistics for incoming/outgoing traffic (NetFlow and SNMP). |
nf2sl.log<.#> | Controller | Auth & UI. Controller keep-alive, user logins, configuration changes, and errors. |
nfo-output.log<.#> | Controller | Telemetry for TCP-based outputs (Kafka, OpenSearch, Azure Log Analytics). |
templates.log | Controller | Information about received NetFlow v9/IPFIX templates. |
localhost_access_log.<date> | Tomcat | All GUI requests, including source IP address and access time. |
catalina.out | Tomcat | Tomcat process redirected standard output. |
catalina.#.log | Tomcat | Detailed Tomcat process events and startup errors. |
nfo_audit.log | Controller | Audit trail of unresponsive devices placed on the "Skip SNMP polling" list. |
EDFN Logs
These logs are located in /opt/nfi-updater/logs/ (Linux) or the updater\logs directory (Windows).
| Log File Name | Module | Description |
|---|---|---|
nfi-updater.log | Core | Primary Log. Threat feed download status and GeoIP database synchronization. |
aws_collector.log | Cloud | AWS VPC Flow Log ingestion status, SQS polling, and S3 access logs. |
azure_collector.log | Cloud | Azure NSG/VNet Flow Log ingestion via Event Hubs. |
gcp_collector.log | Cloud | Google Cloud Platform flow ingestion status via Pub/Sub topics. |
Log Levels & Verbosity
NFO logging levels are (from least to most verbose): Error > Debug > Verbose > Flood.
To change the log level:
- Navigate to Tracing and Configuration.
- Select the desired Tracing verbosity level.
- Press Save. (A restart is not required).
Interpreting Error Signatures
Engine (server.log & nfc_server.log)
| Problem | What to look for | Proposed Action |
|---|---|---|
| OS Stopped Process | ...flowintegrator.sh: line 90: ... Killed | Start NFO Server; ensure "Keep Alive" is enabled. Check OS OOM-Killer logs. |
| Process Crash | ...flowintegrator.sh: line 90: ... Segmentation fault | Restart NFO. Send logs and any .core files to Support. |
| Insufficient Memory | out of memory | Add RAM to the host or VM. |
| Config Failure | ON CONFIG: local configuration failed: 22 | Correct configuration in Web UI; check Status page for specific error. |
Controller (nf2sl.log & catalina.log)
| Problem | What to look for | Proposed Action |
|---|---|---|
| Java Heap Exhaustion | java.lang.OutOfMemoryError | Increase -Xmx parameter in tomcat/bin/setenv.sh. |
| Startup Failure | Context [] startup failed due to previous errors | Check filesystem permissions or port conflicts; restart Controller. |
| Server Sync Issue | NetFlow Integrator server not started | The Controller cannot reach the Engine on port 20048. Check firewall. |
| License Issue | [ALERT] ... license expiration | Verify license in the Web UI. |
| Unauthorized Access | Unexpected updater User-Agent | Someone is using EDFN credentials over the REST API improperly. |
Next Steps
-
Understanding NFO Processes: Deep dive into the Parent/Child process model.
-
Exporting Logs: How to download a diagnostic bundle for Support.
-
Data Quality & Performance: TBD!!! Troubleshooting "Flow Drops" and capacity issues.
= = = = To effectively troubleshoot NFO, you must understand how its internal processes interact and where they store their event data.
System Internals
NetFlow Optimizer consists of several decoupled components. Understanding which component handles which task is the first step in log analysis:
- The Controller (Java/Tomcat): Manages the Web UI, user authentication, and high-level logic coordination. It runs as the
jsvcprocess. - The Engine (C++): The high-performance core (
nfc_svr) responsible for receiving, processing, and sending flow data. - The External Data Feeder for NFO (EDFN): Also running as a
jsvcprocess, the EDFN engine plays a crucial role in enriching and transforming raw flow data. It handles external intelligence (GeoIP, Threat Lists) and cloud log ingestion (AWS, Azure, GCP). - The Database (HSQLDB): A local service that stores your module configurations, watchlists, and system state.
Next Steps
Use the following guides to dig deeper into system events:
- Understanding NFO Processes: A deep dive into process relationships and resource management.
- Viewing & Exporting Logs: Practical steps to access log files and generate diagnostic bundles for Support.