Re: [pmacct-discussion] filtering based on IPFIX template ID or..
Hi Paolo, thanks so much! "flowset_id=x" works perfect! Earlier i tried to use "cflow.flowset_id == X" but no luck :) Sergey V. Fomin NPI ENGINEER ALCATEL-LUCENT mobile: +7 (968) 034 3479 e-mail: sergey.fom...@alcatel-lucent.com<mailto:sergey.fom...@alcatel-lucent.com> ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
[pmacct-discussion] filtering based on IPFIX template ID or..
Hello, I've a question about filtering possibilities with nfacctd for IPFIX. If we need to use IPFIX for session start/session end accounting, we've 2 templates coming from our routers with differents IDs & couple of different fields (start has a flow start time, end has a flow end time & flow reason (defined using primitives). So my question is there any way to log them into different files/DB (based on template ID or flowstart/flowend non-zero time)? Which aggregate_filter or pre_map_tag should I use? Sergey V. Fomin ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
[pmacct-discussion] Mongodb
Hei all, I am wondering if it is possible to compile pmacct with mongodb support using the latest 0.9x driver instead of the legacy c driver? Met vriendelijke groet, / With kind regards, Rik Bruggink Infrasctructure engineer [logo_fundaments-160] E i...@fundaments.nlmailto:i...@fundaments.nl I www.fundaments.nlhttp://www.fundaments.nl/ T +31 88 - 42 27 227 F +31 88 - 42 27 228 POSTADRES Postbus 575 7500 AN Enschede BEZOEKADRES M.H. Tromplaan 52a 7513 AB Enschede KVK 56941412 ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
[pmacct-discussion] Multiple plugins/ summary pmacct.conf/sfacct.conf.
Hello List, I started using pmacct a while ago to monitor our traffic streams , and now i want to segment the traffice in two different tables one with a five minute average and one with a daily average. I am using this config todo so: ! sfacctd configuration daemonize: true syslog: user interface: eth0 plugins: mysql[inbound5m], mysql[outbound5m], mysql[inbounddaily], mysql[outbounddaily] sql_table_version: 7 sql_optimize_clauses: true sql_refresh_time: 60 sql_dont_try_update: true sql_use_copy: true sql_host: hostname sql_passwd: password sql_db: pmacct sql_user: pmacct sql_history[inbound5m]: 5m sql_history_roundoff[inbound5m]: m sql_table[inbound5m]: acct_v7_in_5m aggregate[inbound5m]: dst_host aggregate_filter[inbound5m]: vlan and (src net 10.0.0.0/8) and not (dst net 10.0.0.0/8) sql_history[outbound5m]: 5m sql_history_roundoff[outbound5m]: m sql_table[outbound5m]: acct_v7_out_5m aggregate[outbound5m]: src_host aggregate_filter[outbound5m]: vlan and (src net 10.0.0.0/8) and not (dst net 10.0.0.0/8) sql_history[inbounddaily]: 1d sql_history_roundoff[inbounddaily]: d sql_table[inbounddaily]: acct_v7_in_daily aggregate[inbounddaily]: dst_host aggregate_filter[inbounddaily vlan and (src net 10.0.0.0/8) and not (dst net 10.0.0.0/8) sql_history[outbounddaily]: 1d sql_history_roundoff[outbounddaily]: d sql_table[outbounddaily]: acct_v7_out_daily aggregate[outbounddaily]: src_host aggregate_filter[outbounddaily]: vlan and (src net 10.0.0.0/8) and not (dst net 10.0.0.0/8) sfacctd_renormalize: true sample mysql table structure: CREATE TABLE acct_v7_out_5m ( agent_id int NOT NULL, class_id char(16) NOT NULL, mac_src char(17) NOT NULL, mac_dst char(17) NOT NULL, vlan int NOT NULL, as_src int NOT NULL, as_dst int NOT NULL, ip_src char(45) NOT NULL, ip_dst char(45) NOT NULL, src_port int NOT NULL, dst_port int NOT NULL, tcp_flags int NOT NULL, ip_proto char(6) NOT NULL, tos int NOT NULL, packets int NOT NULL, bytes bigint NOT NULL, flows int NOT NULL, stamp_inserted datetime NOT NULL, stamp_updated datetime DEFAULT NULL, PRIMARY KEY (agent_id,class_id,mac_src,mac_dst,vlan,as_src,as_dst,ip_src,ip_dst,src_port,dst_port,ip_proto,tos,stamp_inserted), KEY stamp_inserted (stamp_inserted), KEY bytes (bytes), KEY ip_src (ip_src), KEY ip_dst (ip_dst) ); the problem im facing now is that it is mentioning duplicate key for the sql service. Is the config and table structure I am using correct, our am I missing something? With kind regards, Rik Bruggink ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] SFACCTD not accounting sflow datagrams (already solved but might be useful)
check for this sysctl net.ipv4.conf.default.rp_filter = 0 (prob 1 in your case - it's a builtin RPF filter in linux; so your packets was dropped coz they failed rpf check) 17.07.2013, 16:04, Benjamin Abadie benjamin.abadie+pma...@smartjog.com: Hi, I just wanted to share something that just cost me 2 days of head-scratching. I found out that, if the system hosting sfacctd does not have a route to the sflow agent going out from the same interface the sflow packets arrive; sfacctd will not account the data *even if they show up on a tcpdump*. Let me explain My debian host has 2 interfaces : eth0 and eth1. 0 is used for management and internet access (thus having a default gateway) and 1 is just a link to my lab router with a /24 over it. What doesn't work : Sourcing sflow packets from my router's loopback address : the sflow packets show up on a tcpdump but nothing in pmacct's backend. What does work : - Sourcing the sflow packet from the interface directly connected in the /24. - Adding a route to the loopback address in the debian routing table pointing to the router I just tried every possible combination of aggregates, aggregate filters and plugins before coming to that. Just a curiosity : would this be a feature of pmacct, or something in the way linux handle udp datagrams ? Hope this help someone someday like this ( http://www.mail-archive.com/pmacct-discussion@pmacct.net/msg01470.html ) helped me once. :) Regards, Benjamin Abadie ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists --- WBR, Nikita V Shirokov. NOC engineer www.yandex.ru ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] Q. Logging via syslog
Because the memory plugin collects data in-memory. To get the aggregate data out or reset the totals you run the pmacct command. If you want data in a log run it in cron and redirect the output to a file (or use the logger program or whatever). Thanks, I understand. ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
