Re: [pmacct-discussion] nfacctd - log missed sequence numbers?
Hi Ed, Yes, absolutely! Paolo On Mon, Feb 27, 2017 at 09:34:16AM -0600, Edward Henigin wrote: > Thank you Paolo! > > But would it simply be safe to say that we are not missing any netflow data > if I never see the log line? > > # fgrep syslog /etc/pmacct/nfacctd.conf > syslog: daemon > # fgrep -i expecting /var/log/daemon > # > > That would be my working assumption. > > Thanks, > > Ed > > On Sat, Feb 25, 2017 at 7:19 AM, Paolo Lucente wrote: > > > > > Hi Ed, > > > > The log message produced is actually very simple: > > > > Log([..] expecting flow '%u' but received '%u' collector=%s:%u agent=%s:%u > > [..]); > > > > It's a start for some basic analysis but you can get false positives, > > for example due to out of order arrival of packets. In recent pmacct > > releases you have a new primitive, export_proto_seqno, precisely to > > report on sequence numbers. As it can be read in CONFIG-KEYS: > > > > export_proto_seqno reports about export protocol (NetFlow, sFlow, IPFIX) > > sequence number; due to its potential de-aggregation effect, two main > > use-cases are seen as use of this primitive: > > > > 1) if using a log type (de-)aggregation method, ie. for security, > >forensics, etc., in addition to existing primitives; > > > > 2) if using a reporting type aggregation method, it is recommended to > >split this primitive in a separate plugin instance instead for > >sequencing analysis. > > > > You fall in the use-case #2. You may instantiate a memory or print > > plugins setting the aggregate to 'peer_src_ip, export_proto_seqno'. This > > way you can perform a more contextual analysis over periods of time (ie. > > 1 min). > > > > Cheers, > > Paolo > > > > On Thu, Feb 23, 2017 at 11:09:19AM -0600, Edward Henigin wrote: > > > I see in the config keys for nfacctd that by default it checks sequence > > > numbers and will log an error if any are missing. > > > > > > [ nfacctd_disable_checks | sfacctd_disable_checks ] [GLOBAL, NO_PMACCTD] > > > Values > > > > > > [true|false] > > > Desc > > > > > > both nfacctd and sfacctd check health of incoming NetFlow/sFlow > > datagrams - > > > actually this is limited to just verifying sequence numbers progression. > > > You may want to disable such feature because of non-standard > > > implementations. By default checks are enabled > > > > > > (default: false) > > > > > > > > > My question: what does that log message look like? I suspect I'm losing > > > flows and I want to check the logs for evidence. I looked in > > src/nfacctd.c > > > to see if I could tell what the syslog message would look like but I > > can't > > > figure out where it's checking the sequence numbers for continuity and > > > logging an error on lost data. > > > > > > Thanks, > > > > > > Ed > > > > > ___ > > > pmacct-discussion mailing list > > > http://www.pmacct.net/#mailinglists > > > > > > ___ > > pmacct-discussion mailing list > > http://www.pmacct.net/#mailinglists > > > ___ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] nfacctd - log missed sequence numbers?
Thank you Paolo! But would it simply be safe to say that we are not missing any netflow data if I never see the log line? # fgrep syslog /etc/pmacct/nfacctd.conf syslog: daemon # fgrep -i expecting /var/log/daemon # That would be my working assumption. Thanks, Ed On Sat, Feb 25, 2017 at 7:19 AM, Paolo Lucente wrote: > > Hi Ed, > > The log message produced is actually very simple: > > Log([..] expecting flow '%u' but received '%u' collector=%s:%u agent=%s:%u > [..]); > > It's a start for some basic analysis but you can get false positives, > for example due to out of order arrival of packets. In recent pmacct > releases you have a new primitive, export_proto_seqno, precisely to > report on sequence numbers. As it can be read in CONFIG-KEYS: > > export_proto_seqno reports about export protocol (NetFlow, sFlow, IPFIX) > sequence number; due to its potential de-aggregation effect, two main > use-cases are seen as use of this primitive: > > 1) if using a log type (de-)aggregation method, ie. for security, >forensics, etc., in addition to existing primitives; > > 2) if using a reporting type aggregation method, it is recommended to >split this primitive in a separate plugin instance instead for >sequencing analysis. > > You fall in the use-case #2. You may instantiate a memory or print > plugins setting the aggregate to 'peer_src_ip, export_proto_seqno'. This > way you can perform a more contextual analysis over periods of time (ie. > 1 min). > > Cheers, > Paolo > > On Thu, Feb 23, 2017 at 11:09:19AM -0600, Edward Henigin wrote: > > I see in the config keys for nfacctd that by default it checks sequence > > numbers and will log an error if any are missing. > > > > [ nfacctd_disable_checks | sfacctd_disable_checks ] [GLOBAL, NO_PMACCTD] > > Values > > > > [true|false] > > Desc > > > > both nfacctd and sfacctd check health of incoming NetFlow/sFlow > datagrams - > > actually this is limited to just verifying sequence numbers progression. > > You may want to disable such feature because of non-standard > > implementations. By default checks are enabled > > > > (default: false) > > > > > > My question: what does that log message look like? I suspect I'm losing > > flows and I want to check the logs for evidence. I looked in > src/nfacctd.c > > to see if I could tell what the syslog message would look like but I > can't > > figure out where it's checking the sequence numbers for continuity and > > logging an error on lost data. > > > > Thanks, > > > > Ed > > > ___ > > pmacct-discussion mailing list > > http://www.pmacct.net/#mailinglists > > > ___ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists > ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] nfacctd - log missed sequence numbers?
Hi Ed, The log message produced is actually very simple: Log([..] expecting flow '%u' but received '%u' collector=%s:%u agent=%s:%u [..]); It's a start for some basic analysis but you can get false positives, for example due to out of order arrival of packets. In recent pmacct releases you have a new primitive, export_proto_seqno, precisely to report on sequence numbers. As it can be read in CONFIG-KEYS: export_proto_seqno reports about export protocol (NetFlow, sFlow, IPFIX) sequence number; due to its potential de-aggregation effect, two main use-cases are seen as use of this primitive: 1) if using a log type (de-)aggregation method, ie. for security, forensics, etc., in addition to existing primitives; 2) if using a reporting type aggregation method, it is recommended to split this primitive in a separate plugin instance instead for sequencing analysis. You fall in the use-case #2. You may instantiate a memory or print plugins setting the aggregate to 'peer_src_ip, export_proto_seqno'. This way you can perform a more contextual analysis over periods of time (ie. 1 min). Cheers, Paolo On Thu, Feb 23, 2017 at 11:09:19AM -0600, Edward Henigin wrote: > I see in the config keys for nfacctd that by default it checks sequence > numbers and will log an error if any are missing. > > [ nfacctd_disable_checks | sfacctd_disable_checks ] [GLOBAL, NO_PMACCTD] > Values > > [true|false] > Desc > > both nfacctd and sfacctd check health of incoming NetFlow/sFlow datagrams - > actually this is limited to just verifying sequence numbers progression. > You may want to disable such feature because of non-standard > implementations. By default checks are enabled > > (default: false) > > > My question: what does that log message look like? I suspect I'm losing > flows and I want to check the logs for evidence. I looked in src/nfacctd.c > to see if I could tell what the syslog message would look like but I can't > figure out where it's checking the sequence numbers for continuity and > logging an error on lost data. > > Thanks, > > Ed > ___ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] nfacctd - log missed sequence numbers?
Paolo, can you help with this one please? On Thu, Feb 23, 2017 at 11:09 AM, Edward Henigin wrote: > I see in the config keys for nfacctd that by default it checks sequence > numbers and will log an error if any are missing. > > [ nfacctd_disable_checks | sfacctd_disable_checks ] [GLOBAL, NO_PMACCTD] > Values > > [true|false] > Desc > > both nfacctd and sfacctd check health of incoming NetFlow/sFlow datagrams > - actually this is limited to just verifying sequence numbers > progression. You may want to disable such feature because of non-standard > implementations. By default checks are enabled > > (default: false) > > > My question: what does that log message look like? I suspect I'm losing > flows and I want to check the logs for evidence. I looked in src/nfacctd.c > to see if I could tell what the syslog message would look like but I can't > figure out where it's checking the sequence numbers for continuity and > logging an error on lost data. > > Thanks, > > Ed > > > > ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists