Thank you Paolo!

But would it simply be safe to say that we are not missing any netflow data
if I never see the log line?

# fgrep syslog /etc/pmacct/nfacctd.conf
syslog: daemon
# fgrep -i expecting /var/log/daemon
#

That would be my working assumption.

Thanks,

Ed

On Sat, Feb 25, 2017 at 7:19 AM, Paolo Lucente <pa...@pmacct.net> wrote:

>
> Hi Ed,
>
> The log message produced is actually very simple:
>
> Log([..] expecting flow '%u' but received '%u' collector=%s:%u agent=%s:%u
> [..]);
>
> It's a start for some basic analysis but you can get false positives,
> for example due to out of order arrival of packets. In recent pmacct
> releases you have a new primitive, export_proto_seqno, precisely to
> report on sequence numbers. As it can be read in CONFIG-KEYS:
>
> export_proto_seqno reports about export protocol (NetFlow, sFlow, IPFIX)
> sequence number; due to its potential de-aggregation effect, two main
> use-cases are seen as use of this primitive:
>
> 1) if using a log type (de-)aggregation method, ie. for security,
>    forensics, etc., in addition to existing primitives;
>
> 2) if using a reporting type aggregation method, it is recommended to
>    split this primitive in a separate plugin instance instead for
>    sequencing analysis.
>
> You fall in the use-case #2. You may instantiate a memory or print
> plugins setting the aggregate to 'peer_src_ip, export_proto_seqno'. This
> way you can perform a more contextual analysis over periods of time (ie.
> 1 min).
>
> Cheers,
> Paolo
>
> On Thu, Feb 23, 2017 at 11:09:19AM -0600, Edward Henigin wrote:
> > I see in the config keys for nfacctd that by default it checks sequence
> > numbers and will log an error if any are missing.
> >
> > [ nfacctd_disable_checks | sfacctd_disable_checks ] [GLOBAL, NO_PMACCTD]
> > Values
> >
> > [true|false]
> > Desc
> >
> > both nfacctd and sfacctd check health of incoming NetFlow/sFlow
> datagrams -
> > actually this is limited to just verifying sequence numbers progression.
> > You may want to disable such feature because of non-standard
> > implementations. By default checks are enabled
> >
> > (default: false)
> >
> >
> > My question: what does that log message look like? I suspect I'm losing
> > flows and I want to check the logs for evidence. I looked in
> src/nfacctd.c
> > to see if I could tell what the syslog message would look like but I
> can't
> > figure out where it's checking the sequence numbers for continuity and
> > logging an error on lost data.
> >
> > Thanks,
> >
> > Ed
>
> > _______________________________________________
> > pmacct-discussion mailing list
> > http://www.pmacct.net/#mailinglists
>
>
> _______________________________________________
> pmacct-discussion mailing list
> http://www.pmacct.net/#mailinglists
>
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Reply via email to