Understanding NFO Processes
NetFlow Optimizer software consists of the following components:
- NFO Server (nfc_svr process): This is the core component responsible for receiving and processing network flow data. It interacts with data sources, performs initial validation and parsing, processes flow data by enabled Modules, and sends consolidated and enriched data out to SIEM or other systems. The NFO Server logs its activities and potential issues in detail, providing valuable information for troubleshooting.
- NFO Controller (tomcat, jsvc processes): The NFO Controller acts as the web-based user interface and management layer for NFO. It allows you to configure settings, view reports, and manage various functionalities. The Controller logs its activities, including user actions, configuration changes, and any errors encountered.
- External Data Feeder for NFO (EDFN) (jsvc process): The EDFN engine plays a crucial role in enriching and transforming the raw flow data. It logs its processing steps, potential errors, and performance metrics, aiding in troubleshooting data flow and enrichment issues.
This section provides information on the essential NFO processes you can monitor.
- Linux
- Windows
To monitor NFO processes on Linux, use the ps command with the -eo pid,ppid,comm options.
- NFO server:
nfc_svr - NFO controller:
jsvc/tomcat(two tomcat processes) - EDFN:
jsvc/updater(two processes, the first one - service that monitors the second one - EDFN java process) - HSQLDB - configuration database:
java/hsqldb
NFO server (nfc_svr)
Viewing NFO server process:
# ps -eo pid,ppid,comm | grep nfc_svr
NFO Controller (jsvc/tomcat)
There are two tomcat jsvc processes:
- Parent Process: Monitors the Tomcat server process.
- Tomcat Server Process: Handles NFO's web interface and core functionalities.
Viewing Tomcat Processes:
# ps -eo pid,ppid,args | grep jsvc | grep tomcat
Example Output:
22189 1 jsvc.exec -cwd /opt/flowintegrator/tomcat/bin/ ...
22191 22189 jsvc.exec -cwd /opt/flowintegrator/tomcat/bin/ ...
Explanation:
- Process 22189: Parent jsvc process, responsible for monitoring the Tomcat server.
- Process 22191: Tomcat server process, handling NFO's core functionality.
If the Tomcat server process (22191) becomes unresponsive, the parent process (22189) will automatically restart it.
EDFN (jsvc/updater)
There are two EDFN jsvc processes:
- Parent Process: Monitors the EDFN process.
- EDFN Process: Handles EDFN functionalities.
Viewing EDFN Processes:
#ps -eo pid,ppid,args | grep jsvc | grep updater
Example Output:
23664 1 jsvc.exec -cwd /opt/nfi-updater/bin/ ...
23665 23664 jsvc.exec -cwd /opt/nfi-updater/bin/ ...
Explanation:
- Process 23664: Parent jsvc process, responsible for monitoring the EDFN process.
- Process 23665: EDFN process, handling EDFN functionality.
If the EDFN process (23665) becomes unresponsive, the parent process (23664) will automatically restart it.
HSQLDB - configuration database (java/hsqldb)
Viewing HSQLDB Processes:
# ps -eo pid,ppid,args | grep java | grep hsqldb
On Windows, use the Task Manager to view NFO processes. Look for processes related to NFO, such as java.exe and tomcat9.exe.
Viewing NFO Processes:
>TASKLIST /M VCRUNTIME140.dll
Example Output:
Image Name PID Modules
========================= ======== ============================================
nfi-updater.exe 3160 VCRUNTIME140.dll
tomcat9.exe 3212 VCRUNTIME140.dll
java.exe 6324 VCRUNTIME140.dll
nfc_svr.exe 2160 VCRUNTIME140.dll
Explanation:
- Process 2160: NFO server process (nfc_svr.exe).
- Process 3212: NFO controller process (tomcat9.exe).
- Process 3160: EDFN process (nfi-updater.exe).
- Process 6324: HSQLDB process - configuration database (java.exe).