[pmacct-discussion] best practice (additional examples)

[alex]

   Hello Paolo!
   Thank you VERY MUCH! Undoubtedly, 'pmacct' excellent package!
But i think (by my expirience) that it need a little best practice
document or more complex then existing examples (with comments).
With such help new users can quicker start its own configuration,
will less ask same questions and feel happy with 'pmacct'.
   I had many mistakes and misunderstands in my configuration and
i think that it very common situation (so as there are a lot of
parameters, nuances and variants).
   I attached my example (raw variant with hope on your additionals,
remarks and fixes) and will be glad if it will useful.


   Alex
        


----------
Кредит на развитие бизнеса! Индивидуальным предпринимателям и юр.лицам.
Специальные предложения: 'Кредит на приобретение коммерческого автомобиля',
'Кредит руководителю'. Белросбанк, (017) 287-66-97, http://www.belrosbank.by


Schema (all addresses not real):



                                                                              
---------
  Remote office (72.109.231.141)                           192.168.5.0/24    |  
       |
         |                                             --------  &  ---------| 
nfacctd |
         |                                        eth0|    172.16.200.0/24   |  
       |
     --------------                       ---------------                     
---------
    |              |                 eth2| Gate/Firewall |                  
192.168.5.8:2100
    |   Internet   |---------------------|               |
    |              |    12.198.142.112/29|pmacctd-nfprobe|
     --------------                       ---------------
                                                  eth1|
                                                       --- 172.16.254.0/24



Agents configurations on gate:


 pmacctd-nfprobe 1 (one internal interface)
 ------------------------------------------

daemonize: true
interface: eth0
promisc: false                             #  unnecessary so as pmacctd running 
on gate
pmacctd_force_frag_handling: true          #  ??????  i set this parameter up 
but not shure that i need it
plugins: nfprobe[in], nfprobe[out]
nfprobe_receiver: 192.168.5.8:2100
nfprobe_version: 9
nfprobe_engine[in]:  0:10                  #  mandatory for NetFlow v9
nfprobe_engine[out]: 0:11

#  external traffic from local networks (attention very long strings)

aggregate_filter[in]:  dst net ( 192.168.5.0/24 or 172.16.200.0/24 ) and src 
net ! ( 192.168.0.0/16 or 172.16.0.0/12 or 10.0.0.0/8 or 72.109.231.141/32 )
aggregate_filter[out]: src net ( 192.168.5.0/24 or 172.16.200.0/24 ) and dst 
net ! ( 192.168.0.0/16 or 172.16.0.0/12 or 10.0.0.0/8 or 72.109.231.141/32 ) 
and dst host ! 255.255.255.255


 pmacctd-nfprobe 2 (another internal interface)
 ----------------------------------------------

daemonize: true
interface: eth1
post_tag: 2
promisc: false
pmacctd_force_frag_handling: true
plugins: nfprobe[in], nfprobe[out]
nfprobe_receiver: 192.168.5.8:2100
nfprobe_version: 9
nfprobe_engine[in]:  0:12
nfprobe_engine[out]: 0:13

#  external traffic from local network except one machine (proxy server)

aggregate_filter[in]:  dst net 172.16.254.0/24 and dst host ! 172.16.254.4 and 
src net ! ( 192.168.0.0/16 or 172.16.0.0/12 or 10.0.0.0/8 or 72.109.231.141/32 )
aggregate_filter[out]: src net 172.16.254.0/24 and src host ! 172.16.254.4 and 
dst net ! ( 192.168.0.0/16 or 172.16.0.0/12 or 10.0.0.0/8 or 72.109.231.141/32 
) and dst host ! 255.255.255.255


 pmacctd-nfprobe 3 (external interface)
 --------------------------------------

daemonize: true
interface: eth2
post_tag: 3
promisc: false
! pcap_filter: host 72.109.231.141
pmacctd_force_frag_handling: true
plugins: nfprobe[in], nfprobe[out]
nfprobe_receiver: 192.168.5.8:2100
nfprobe_version: 9
nfprobe_engine[in]:   0:14
nfprobe_engine[out]:  0:15
! nfprobe_timeouts: tcp=120:maxlife=3600
! plugin_buffer_size: 1024

#  traffic on external interface and remote office traffic 

aggregate_filter[in]:  ( dst net 12.198.142.112/29 and src net ! 
12.198.142.112/29 ) or ( dst host 72.109.231.141 )
aggregate_filter[out]: ( src net 12.198.142.112/29 and dst net ! 
12.198.142.112/29 ) or ( src host 72.109.231.141 )



Server configuration:

  pretag.map
  ----------

# setting separate 'agent_id' for every observated network/zone and
# have advantage when use 'agent_id' for make requests from database so as:
#   a)  selects running quickly for compare number field then part of string  
#       (f.e. LEFT(ip_src,11))
#   b)  we can separate subnets by network bitmask (12.198.142.112/29) but can't
#       make such select from database (only by character string - 
'12.198.142.')

id=10   ip=192.168.5.1  engine_type=0  engine_id=10  filter='dst net 
192.168.5.0/24'      # mark one local network
id=11   ip=192.168.5.1  engine_type=0  engine_id=11  filter='src net 
192.168.5.0/24'      
id=22   ip=192.168.5.1  engine_type=0  engine_id=10  filter='dst net 
172.16.200.0/24'     # mark another local network
id=23   ip=192.168.5.1  engine_type=0  engine_id=11  filter='src net 
172.16.200.0/24'
id=12   ip=192.168.5.1  engine_type=0  engine_id=12
id=13   ip=192.168.5.1  engine_type=0  engine_id=13
id=14   ip=192.168.5.1  engine_type=0  engine_id=14  filter='dst net 
12.198.142.112/29'   # mark traffic on external IPs
id=15   ip=192.168.5.1  engine_type=0  engine_id=15  filter='src net 
12.198.142.112/29'
id=16   ip=192.168.5.1  engine_type=0  engine_id=14  filter='dst host 
72.109.231.141'     # mark remote office traffic
id=17   ip=192.168.5.1  engine_type=0  engine_id=15  filter='src host 
72.109.231.141'


  nfacctd
  -------

daemonize: true
nfacctd_ip: 192.168.5.8
nfacctd_port: 2100
nfacctd_allow_file: /usr/local/etc/allow.lst
nfacctd_time_new: true                         #  necessary for cut flows on 
two part on the boundary of days

pre_tag_map: /usr/local/etc/pretag.map         #  see content above

pre_tag_filter[in0]:  10, 16, 22               #  choose 'id' for appropriate 
aggregation (see below)
pre_tag_filter[out0]: 11, 17, 23
pre_tag_filter[in1]:  12
pre_tag_filter[out1]: 13
pre_tag_filter[in2]:  14
pre_tag_filter[out2]: 15

# different aggregation schemes for different cases
# 'tag' necessary for filling 'agent_id' field
# 'flows' necessary for gather 'flows' field statistic

aggregate[in0]:  tag, dst_host, src_host, src_port, proto, flows
aggregate[out0]: tag, src_host, dst_host, dst_port, proto, flows
aggregate[in1]:  tag, dst_host, src_host, dst_port, proto, flows
aggregate[out1]: tag, src_host, dst_host, src_port, proto, flows
aggregate[in2]:  tag, dst_host, proto, flows
aggregate[out2]: tag, src_host, proto, flows

plugins: mysql[in0], mysql[out0], mysql[in1], mysql[out1], mysql[in2], 
mysql[out2]
sql_db: pmacct
sql_table: acct_v7
sql_table_version: 7
sql_host: 127.0.0.1
sql_user: pmacctu
sql_passwd: password
sql_refresh_time: 120
sql_multi_values: 1000000
sql_optimize_clauses: true
sql_history: 1d                   #  accumulate statistic for every day
sql_history_roundoff: h





_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists