Re: [pmacct-discussion] Question about teeing and sampling

Wed, 10 Feb 2016 02:34:35 -0800

No problem with tee here - but wasn't Pau expecting tee to do further sampling (which it doesn't)? 

==nfacctd_tee.conf:
pidfile: /pmacct/var/nfacctd_tee.pid
logfile: /pmacct/log/nfacctd_tee.log
daemonize: true
files_umask: 2
nfacctd_disable_checks: true
nfacctd_pipe_size: 8388608
plugin_buffer_size: 204800
plugin_pipe_size: 20480000
nfacctd_ip: <ip>
nfacctd_port: <port>

plugins: tee
tee_receivers: /pmacct/etc/tee_rec.lst
tee_transparent: true


==tee_rec.lst:
id=1    ip=<ip1>:<port1>,<ip2>:<port2>
Run nfacctd with nfacctd_tee.conf to duplicate NF data received on <ip>:<port> to <ip1>:<port1> and <ip2>:<port2>. Then run on <ip1>:<port1> your NFsen and on <ip2>:<port2> another nfacctd with another config to use pmacct's great features (what ever you want to aggregate on or do with the data).
Eventually you might need tee_transparent to be true (or -S with samplicator) to keep original source address. 


Markus

On 10.02.2016 10:35, Jordan Grigorov (Neterra NMT) wrote:

Hello Pau,
You can try /samplicate/ tool (https://github.com/sleinen/samplicator) to forward netflow data to multiple IPs/ports. 

Just install it and issue:

/samplicate -s 88.22.33.99 -p 9996 127.0.0.1/9995 ///127.0.0.1//9999 -f/

Best Regards,



---


    Jordan

<https://www.linkedin.com/company/neterra>


On 8.02.2016 16:27, KA PDE wrote:

Hi all,
I've recently discovered pmacct and I'm evaluating it to forward netflow data for security purposes to a set of collectors, some of them requiring less amount of data sent.
I have a simple configuration using the tee plugin. I've managed to send flow information to NFsen but I'm unable to find a way of sampling to the other destination.Is this achievable with pmacct? 

! nfacctd configuration
!
!
!
daemonize: true
pidfile: /var/run/nfacctd.pid
syslog: daemon

nfacctd_port: 9996
nfacctd_ip: 88.22.33.99
plugin_pipe_size: 10240000
plugin_buffer_size: 10240

plugins: tee[nfsen], tee[pmacct]
tee_receiver[nfsen]: 127.0.0.1:9995 <http://127.0.0.1:9995>
tee_receiver[pmacct]: 127.0.0.1:9999 <http://127.0.0.1:9999>
! sampling_rate[pmacct]: 4096
tee_transparent: true

Thanks in advance and best regards,

Pau


_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists




_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists



_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Reply via email to