Hi Michael,
Welcome back! :-) What version of pmacct are you using? I see you
daemonize but there is no logfile specified: did you check the log on
startup to make sure that the filter in 'aggregate_filter' is being
accepted and loaded?
Your understanding of how 'aggregate_filter' should work, ie. filter you
out 1.2.3.4 if it's not specified among the networks listed in the
filter, is right.
Paolo
On 1/7/22 16:59, Muenz, Michael wrote:
Hi,
after over 15 years I'm back using pmacct for an open source accounting
project.
I'm using OPNsense to ingest Netflow v5 traffic into pmacct with MySQL
backend.
I'm intersted only in specific networks so I'm doing it like this:
daemonize: true
debug: false
nfacctd_port: 5678
nfacctd_time_new: true
plugins: mysql[inbound],mysql[outbound]
aggregate[inbound]: tag,dst_host
aggregate[outbound]: tag,src_host
aggregate_filter[inbound]: (dst net 46.16.78.247/32 ...)
aggregate_filter[outbound]: (src net 46.16.78.247/32 ...)
The different networks in in aggregate filter are differenct customers.
Now my idea was that I add a pretagging so when a packet comes with
filter X it add tag Y:
! 1101 = OPNREPO
id=1101 ip=81.33.44.75 filter='host 46.16.78.247'
Now every flow from 81.33.44.75 with traffic going from/to 46.16.78.247
gets tag 1101.
After this I can select * from X where 1101 and sum up.
My problem is that aggregate_filter will also aggregate the source of
the other side.
Lets say I transfer a 1GB file from 1.2.3.4 to 46.16.78.247 I have 4
records:
src 0.0.0.0, dst 46.16.78.247
src 0.0.0.0, dst 1.2.3.4
src 46.16.78.247, dst 0.0.0.0
src 1.2.3.4, dst 0.0.0.0
I thought that with aggregate_filter the lines with 1.2.3.4 wont get
into the db but maybe I'm wrong?
Any ideas?
Thanks!
Michael
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
