Re: [pmacct-discussion] New to pmacct - Need help with Netflow
Thanks Yann, the data is writing to the db. :) On Thu, Jan 19, 2017 at 2:11 PM, Luc Perreau wrote: > Found it. Here is my config: > > > ! nfacctd configuration > ! > ! > ! > daemonize:true > pidfile: /var/run/nfacctd.pid > syslog: daemon > plugins: mysql[total] > ! > ! interested in in and outbound traffic > !aggregate: src_host,dst_host > !aggregate: src_host,dst_host,src_port,dst_port,proto,tos,peer_src_ > as,peer_dst_as,in_iface,out_iface,vlan > !aggregate[total]: src_host,dst_host,src_port,dst_port,proto,in_iface,out_ > iface,tag > aggregate[total]: src_host,dst_host > !nfacctd_ip: 10.100.254.10 > nfacctd_port: 5679 > !networks_file: /etc/pmacct/nfacctd.networks > !pre_tag_map: /etc/pmacct/pretag.map > !pre_tag_filter[total]: 0-2 > interface: eth0 > sql_host: localhost > sql_db: pmacct > sql_user: pmacct > sql_passwd: arealsmartpwd > sql_refresh_time: 60 > sql_history: 5m > sql_history_roundoff: d > !sql_table_version: 8 > sql_optimize_clauses: true > sql_table[total]: acct > !logfile: /var/log/nfacctd.log > > ! > ! storage methods > ! refresh the db every minute > !sql_refresh_time: 60 > ! reduce the size of the insert/update clause > !sql_optimize_clauses: true > ! accumulate values in each row for up to an hour > !sql_history: 1h > ! create new rows on the minute, hour, day boundaries > !sql_history_roundoff: mhd > ! in case of emergency, log to this file > !sql_recovery_logfile: /var/log/nfacctd_recovery_log > > > > > > > > > > It is logging in syslog. now what do i look for? > > On Thu, Jan 19, 2017 at 2:06 PM, Luc Perreau wrote: > >> Hi Yann, >> >> I am running it in the debug mode now, but where do i see the debug logs? >> Do i have to define my log file in the nfacctd.conf file? >> >> Luc >> >> On Thu, Jan 19, 2017 at 1:45 PM, Yann Belin wrote: >> >>> Hi Luc, >>> >>> Did you try to enable debug mode on nfacctd (-d)? It will show you >>> when the flows are received, as well any potential errors when sending >>> it to db. >>> >>> Also, keep in mind that if you use NetflowV9/IPfix, nfacctd wont be >>> able to process incoming flows until a template is received. >>> >>> Cheers, >>> >>> Yann >>> >>> On Thu, Jan 19, 2017 at 4:51 AM, Luc Perreau >>> wrote: >>> > Hi all, >>> > >>> > I am fairly new to pmacct and have been struggling for a while to get >>> it to >>> > do what i want. >>> > >>> > I have it setup and logging to a mysql db. >>> > >>> > All i want is to send netflow traffic to it so that i know which IP >>> accessed >>> > what and at what time. >>> > >>> > Basically i am interested in src ip, dst ip, src port, dst port, and >>> time >>> > >>> > I have tried using nfacct but when i query the db, i do not see time >>> entries >>> > :( >>> > >>> > I know flows are hitting the hitting box of the right port as i have >>> done a >>> > tcpdump and i see the flows. >>> > >>> > Can someone please help me out? >>> > >>> > Thanks, >>> > >>> > Luc >>> > >>> > ___ >>> > pmacct-discussion mailing list >>> > http://www.pmacct.net/#mailinglists >>> >>> ___ >>> pmacct-discussion mailing list >>> http://www.pmacct.net/#mailinglists >>> >> >> > ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] New to pmacct - Need help with Netflow
Found it. Here is my config: ! nfacctd configuration ! ! ! daemonize:true pidfile: /var/run/nfacctd.pid syslog: daemon plugins: mysql[total] ! ! interested in in and outbound traffic !aggregate: src_host,dst_host !aggregate: src_host,dst_host,src_port,dst_port,proto,tos,peer_src_as,peer_dst_as,in_iface,out_iface,vlan !aggregate[total]: src_host,dst_host,src_port,dst_port,proto,in_iface,out_iface,tag aggregate[total]: src_host,dst_host !nfacctd_ip: 10.100.254.10 nfacctd_port: 5679 !networks_file: /etc/pmacct/nfacctd.networks !pre_tag_map: /etc/pmacct/pretag.map !pre_tag_filter[total]: 0-2 interface: eth0 sql_host: localhost sql_db: pmacct sql_user: pmacct sql_passwd: arealsmartpwd sql_refresh_time: 60 sql_history: 5m sql_history_roundoff: d !sql_table_version: 8 sql_optimize_clauses: true sql_table[total]: acct !logfile: /var/log/nfacctd.log ! ! storage methods ! refresh the db every minute !sql_refresh_time: 60 ! reduce the size of the insert/update clause !sql_optimize_clauses: true ! accumulate values in each row for up to an hour !sql_history: 1h ! create new rows on the minute, hour, day boundaries !sql_history_roundoff: mhd ! in case of emergency, log to this file !sql_recovery_logfile: /var/log/nfacctd_recovery_log It is logging in syslog. now what do i look for? On Thu, Jan 19, 2017 at 2:06 PM, Luc Perreau wrote: > Hi Yann, > > I am running it in the debug mode now, but where do i see the debug logs? > Do i have to define my log file in the nfacctd.conf file? > > Luc > > On Thu, Jan 19, 2017 at 1:45 PM, Yann Belin wrote: > >> Hi Luc, >> >> Did you try to enable debug mode on nfacctd (-d)? It will show you >> when the flows are received, as well any potential errors when sending >> it to db. >> >> Also, keep in mind that if you use NetflowV9/IPfix, nfacctd wont be >> able to process incoming flows until a template is received. >> >> Cheers, >> >> Yann >> >> On Thu, Jan 19, 2017 at 4:51 AM, Luc Perreau >> wrote: >> > Hi all, >> > >> > I am fairly new to pmacct and have been struggling for a while to get >> it to >> > do what i want. >> > >> > I have it setup and logging to a mysql db. >> > >> > All i want is to send netflow traffic to it so that i know which IP >> accessed >> > what and at what time. >> > >> > Basically i am interested in src ip, dst ip, src port, dst port, and >> time >> > >> > I have tried using nfacct but when i query the db, i do not see time >> entries >> > :( >> > >> > I know flows are hitting the hitting box of the right port as i have >> done a >> > tcpdump and i see the flows. >> > >> > Can someone please help me out? >> > >> > Thanks, >> > >> > Luc >> > >> > ___ >> > pmacct-discussion mailing list >> > http://www.pmacct.net/#mailinglists >> >> ___ >> pmacct-discussion mailing list >> http://www.pmacct.net/#mailinglists >> > > ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] New to pmacct - Need help with Netflow
Hi Yann, I am running it in the debug mode now, but where do i see the debug logs? Do i have to define my log file in the nfacctd.conf file? Luc On Thu, Jan 19, 2017 at 1:45 PM, Yann Belin wrote: > Hi Luc, > > Did you try to enable debug mode on nfacctd (-d)? It will show you > when the flows are received, as well any potential errors when sending > it to db. > > Also, keep in mind that if you use NetflowV9/IPfix, nfacctd wont be > able to process incoming flows until a template is received. > > Cheers, > > Yann > > On Thu, Jan 19, 2017 at 4:51 AM, Luc Perreau wrote: > > Hi all, > > > > I am fairly new to pmacct and have been struggling for a while to get it > to > > do what i want. > > > > I have it setup and logging to a mysql db. > > > > All i want is to send netflow traffic to it so that i know which IP > accessed > > what and at what time. > > > > Basically i am interested in src ip, dst ip, src port, dst port, and time > > > > I have tried using nfacct but when i query the db, i do not see time > entries > > :( > > > > I know flows are hitting the hitting box of the right port as i have > done a > > tcpdump and i see the flows. > > > > Can someone please help me out? > > > > Thanks, > > > > Luc > > > > ___ > > pmacct-discussion mailing list > > http://www.pmacct.net/#mailinglists > > ___ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists > ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] New to pmacct - Need help with Netflow
Hi Luc, Did you try to enable debug mode on nfacctd (-d)? It will show you when the flows are received, as well any potential errors when sending it to db. Also, keep in mind that if you use NetflowV9/IPfix, nfacctd wont be able to process incoming flows until a template is received. Cheers, Yann On Thu, Jan 19, 2017 at 4:51 AM, Luc Perreau wrote: > Hi all, > > I am fairly new to pmacct and have been struggling for a while to get it to > do what i want. > > I have it setup and logging to a mysql db. > > All i want is to send netflow traffic to it so that i know which IP accessed > what and at what time. > > Basically i am interested in src ip, dst ip, src port, dst port, and time > > I have tried using nfacct but when i query the db, i do not see time entries > :( > > I know flows are hitting the hitting box of the right port as i have done a > tcpdump and i see the flows. > > Can someone please help me out? > > Thanks, > > Luc > > ___ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists