Re: [pmacct-discussion] New to pmacct - Need help with Netflow

2017-01-18 Thread Luc Perreau 
Thanks Yann, the data is writing to the db. :)

On Thu, Jan 19, 2017 at 2:11 PM, Luc Perreau  wrote:

> Found it. Here is my config:
>
>
> ! nfacctd configuration
> !
> !
> !
> daemonize:true
> pidfile: /var/run/nfacctd.pid
> syslog: daemon
> plugins: mysql[total]
> !
> ! interested in in and outbound traffic
> !aggregate: src_host,dst_host
> !aggregate: src_host,dst_host,src_port,dst_port,proto,tos,peer_src_
> as,peer_dst_as,in_iface,out_iface,vlan
> !aggregate[total]: src_host,dst_host,src_port,dst_port,proto,in_iface,out_
> iface,tag
> aggregate[total]: src_host,dst_host
> !nfacctd_ip: 10.100.254.10
> nfacctd_port: 5679
> !networks_file: /etc/pmacct/nfacctd.networks
> !pre_tag_map: /etc/pmacct/pretag.map
> !pre_tag_filter[total]: 0-2
> interface: eth0
> sql_host: localhost
> sql_db: pmacct
> sql_user: pmacct
> sql_passwd: arealsmartpwd
> sql_refresh_time: 60
> sql_history: 5m
> sql_history_roundoff: d
> !sql_table_version: 8
> sql_optimize_clauses: true
> sql_table[total]: acct
> !logfile: /var/log/nfacctd.log
>
> !
> ! storage methods
> ! refresh the db every minute
> !sql_refresh_time: 60
> ! reduce the size of the insert/update clause
> !sql_optimize_clauses: true
> ! accumulate values in each row for up to an hour
> !sql_history: 1h
> ! create new rows on the minute, hour, day boundaries
> !sql_history_roundoff: mhd
> ! in case of emergency, log to this file
> !sql_recovery_logfile: /var/log/nfacctd_recovery_log
>
>
>
>
>
>
>
>
>
> It is logging in syslog. now what do i look for?
>
> On Thu, Jan 19, 2017 at 2:06 PM, Luc Perreau  wrote:
>
>> Hi Yann,
>>
>> I am running it in the debug mode now, but where do i see the debug logs?
>> Do i have to define my log file in the nfacctd.conf file?
>>
>> Luc
>>
>> On Thu, Jan 19, 2017 at 1:45 PM, Yann Belin  wrote:
>>
>>> Hi Luc,
>>>
>>> Did you try to enable debug mode on nfacctd (-d)? It will show you
>>> when the flows are received, as well any potential errors when sending
>>> it to db.
>>>
>>> Also, keep in mind that if you use NetflowV9/IPfix, nfacctd wont be
>>> able to process incoming flows until a template is received.
>>>
>>> Cheers,
>>>
>>> Yann
>>>
>>> On Thu, Jan 19, 2017 at 4:51 AM, Luc Perreau 
>>> wrote:
>>> > Hi all,
>>> >
>>> > I am fairly new to pmacct and have been struggling for a while to get
>>> it to
>>> > do what i want.
>>> >
>>> > I have it setup and logging to a mysql db.
>>> >
>>> > All i want is to send netflow traffic to it so that i know which IP
>>> accessed
>>> > what and at what time.
>>> >
>>> > Basically i am interested in src ip, dst ip, src port, dst port, and
>>> time
>>> >
>>> > I have tried using nfacct but when i query the db, i do not see time
>>> entries
>>> > :(
>>> >
>>> > I know flows are hitting the hitting box of the right port as i have
>>> done a
>>> > tcpdump and i see the flows.
>>> >
>>> > Can someone please help me out?
>>> >
>>> > Thanks,
>>> >
>>> > Luc
>>> >
>>> > ___
>>> > pmacct-discussion mailing list
>>> > http://www.pmacct.net/#mailinglists
>>>
>>> ___
>>> pmacct-discussion mailing list
>>> http://www.pmacct.net/#mailinglists
>>>
>>
>>
>
___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] New to pmacct - Need help with Netflow

2017-01-18 Thread Luc Perreau 
Found it. Here is my config:


! nfacctd configuration
!
!
!
daemonize:true
pidfile: /var/run/nfacctd.pid
syslog: daemon
plugins: mysql[total]
!
! interested in in and outbound traffic
!aggregate: src_host,dst_host
!aggregate:
src_host,dst_host,src_port,dst_port,proto,tos,peer_src_as,peer_dst_as,in_iface,out_iface,vlan
!aggregate[total]:
src_host,dst_host,src_port,dst_port,proto,in_iface,out_iface,tag
aggregate[total]: src_host,dst_host
!nfacctd_ip: 10.100.254.10
nfacctd_port: 5679
!networks_file: /etc/pmacct/nfacctd.networks
!pre_tag_map: /etc/pmacct/pretag.map
!pre_tag_filter[total]: 0-2
interface: eth0
sql_host: localhost
sql_db: pmacct
sql_user: pmacct
sql_passwd: arealsmartpwd
sql_refresh_time: 60
sql_history: 5m
sql_history_roundoff: d
!sql_table_version: 8
sql_optimize_clauses: true
sql_table[total]: acct
!logfile: /var/log/nfacctd.log

!
! storage methods
! refresh the db every minute
!sql_refresh_time: 60
! reduce the size of the insert/update clause
!sql_optimize_clauses: true
! accumulate values in each row for up to an hour
!sql_history: 1h
! create new rows on the minute, hour, day boundaries
!sql_history_roundoff: mhd
! in case of emergency, log to this file
!sql_recovery_logfile: /var/log/nfacctd_recovery_log









It is logging in syslog. now what do i look for?

On Thu, Jan 19, 2017 at 2:06 PM, Luc Perreau  wrote:

> Hi Yann,
>
> I am running it in the debug mode now, but where do i see the debug logs?
> Do i have to define my log file in the nfacctd.conf file?
>
> Luc
>
> On Thu, Jan 19, 2017 at 1:45 PM, Yann Belin  wrote:
>
>> Hi Luc,
>>
>> Did you try to enable debug mode on nfacctd (-d)? It will show you
>> when the flows are received, as well any potential errors when sending
>> it to db.
>>
>> Also, keep in mind that if you use NetflowV9/IPfix, nfacctd wont be
>> able to process incoming flows until a template is received.
>>
>> Cheers,
>>
>> Yann
>>
>> On Thu, Jan 19, 2017 at 4:51 AM, Luc Perreau 
>> wrote:
>> > Hi all,
>> >
>> > I am fairly new to pmacct and have been struggling for a while to get
>> it to
>> > do what i want.
>> >
>> > I have it setup and logging to a mysql db.
>> >
>> > All i want is to send netflow traffic to it so that i know which IP
>> accessed
>> > what and at what time.
>> >
>> > Basically i am interested in src ip, dst ip, src port, dst port, and
>> time
>> >
>> > I have tried using nfacct but when i query the db, i do not see time
>> entries
>> > :(
>> >
>> > I know flows are hitting the hitting box of the right port as i have
>> done a
>> > tcpdump and i see the flows.
>> >
>> > Can someone please help me out?
>> >
>> > Thanks,
>> >
>> > Luc
>> >
>> > ___
>> > pmacct-discussion mailing list
>> > http://www.pmacct.net/#mailinglists
>>
>> ___
>> pmacct-discussion mailing list
>> http://www.pmacct.net/#mailinglists
>>
>
>
___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] New to pmacct - Need help with Netflow

2017-01-18 Thread Yann Belin 
Hi Luc,

Did you try to enable debug mode on nfacctd (-d)? It will show you
when the flows are received, as well any potential errors when sending
it to db.

Also, keep in mind that if you use NetflowV9/IPfix, nfacctd wont be
able to process incoming flows until a template is received.

Cheers,

Yann

On Thu, Jan 19, 2017 at 4:51 AM, Luc Perreau  wrote:
> Hi all,
>
> I am fairly new to pmacct and have been struggling for a while to get it to
> do what i want.
>
> I have it setup and logging to a mysql db.
>
> All i want is to send netflow traffic to it so that i know which IP accessed
> what and at what time.
>
> Basically i am interested in src ip, dst ip, src port, dst port, and time
>
> I have tried using nfacct but when i query the db, i do not see time entries
> :(
>
> I know flows are hitting the hitting box of the right port as i have done a
> tcpdump and i see the flows.
>
> Can someone please help me out?
>
> Thanks,
>
> Luc
>
> ___
> pmacct-discussion mailing list
> http://www.pmacct.net/#mailinglists

___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

[pmacct-discussion] New to pmacct - Need help with Netflow

2017-01-18 Thread Luc Perreau 
Hi all,

I am fairly new to pmacct and have been struggling for a while to get it to
do what i want.

I have it setup and logging to a mysql db.

All i want is to send netflow traffic to it so that i know which IP
accessed what and at what time.

Basically i am interested in src ip, dst ip, src port, dst port, and time

I have tried using nfacct but when i query the db, i do not see time
entries :(

I know flows are hitting the hitting box of the right port as i have done a
tcpdump and i see the flows.

Can someone please help me out?

Thanks,

Luc
___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists