Sorry, pmacct correctly calculates SYNs. The problem was in duplicated
entries, this caused lost 95% of the data. This problem occurs only with
tables version 7 (which are used as IDS). For traffic calculation I use
a table version 1 without any problems. I've corrected the problem with
the SYNs calculation by adding id autoincrement (and periodic zeroing of
it) in the table version 7, now SYNs are being calculated correctly.
However, this caused a problem, during one timestamp base grows up to
500 megabytes. Please advise, why pmacct creates duplicated entries?
Alsa I often see in log "ERROR ( min-ddos/mysql ): FUNCTION
pmacct.DROM_UNIXTIME does not exist#012" and "You have an error in your
SQL syntax; check the manual that corresponds to your MySQL server
version for the right syntax to use near 'FROM]UNIXTIME(1265882756),
FROM_UNIXTIME(1265882580), 0, '89.184.64.34', '193.17' at line 1#012"
(in first error I see that pmacct missplaced "F" and "D", in second I
see that "." and "]" are misplaced).
Here is my config:
! pmacctd configuration
!
!
!
debug: false
daemonize: true
pidfile: /var/run/pmacctd.pid
syslog: daemon
interface: eth2
promisc: true
plugin_buffer_size: 1024000
plugin_pipe_size: 409600000
aggregate[min]: src_mac, dst_mac, src_host, dst_host
aggregate[min-ids]: src_host, dst_host, dst_port, proto, tcpflags
aggregate[hourly-in]: dst_host
aggregate[hourly-out]: src_host
plugins: mysql[min], mysql[min-ids], mysql[hourly-in], mysql[hourly-out]
networks_file[min]: /etc/pmacct/networks.list
networks_file[hourly-in]: /etc/pmacct/networks.list
networks_file[hourly-out]: /etc/pmacct/networks.list
sql_table[min]: acct
sql_table[min-ids]: acct_ids
sql_table[hourly-in]: acct_base_in
sql_table[hourly-out]: acct_base_out
sql_host: 10.7.10.2
sql_user: pmacct
sql_passwd: **********
sql_db: pmacct
sql_table_version[min]: 1
sql_table_version[min-ids]: 7
sql_table_version[hourly-in]: 1
sql_table_version[hourly-out]: 1
sql_dont_try_update: true
sql_multi_values: 1000000
sql_locking_style: row
sql_history_roundoff[min]: m
sql_history[min]: 1m
sql_refresh_time[min]: 60
sql_history_roundoff[min-ids]: m
sql_history[min-ids]: 1m
sql_refresh_time[min-ids]: 60
sql_history_roundoff[hourly-in]: m
sql_history[hourly-in]: 30m
sql_refresh_time[hourly-in]: 1800
sql_history_roundoff[hourly-out]: m
sql_history[hourly-out]: 30m
sql_refresh_time[hourly-out]: 1800
sql_recovery_logfile[min]: /var/lib/pmacct/recovery_in_log
sql_recovery_logfile[hourly-in]: /var/lib/pmacct/recovery_log_in_base
sql_recovery_logfile[hourly-out]: /var/lib/pmacct/recovery_log_out_base
--
WBR
Yavetskiy Yuriy
ULTI-RIPE
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
