Hi Yuriy, Which version of pmacct you are using? Indeed the syntax for those SQL queries is wrong - but i've never seen that happening so i'm a bit puzzled. Are these issues related to a specific plugin or you can see such weird behaviour across all of them? Finally, can you post privately some of these duplicate rows so that i can look into it?
Cheers, Paolo On Thu, Feb 11, 2010 at 03:08:42PM +0200, Yavetskiy Yuriy wrote: > Sorry, pmacct correctly calculates SYNs. The problem was in duplicated > entries, this caused lost 95% of the data. This problem occurs only with > tables version 7 (which are used as IDS). For traffic calculation I use > a table version 1 without any problems. I've corrected the problem with > the SYNs calculation by adding id autoincrement (and periodic zeroing of > it) in the table version 7, now SYNs are being calculated correctly. > However, this caused a problem, during one timestamp base grows up to > 500 megabytes. Please advise, why pmacct creates duplicated entries? > Alsa I often see in log "ERROR ( min-ddos/mysql ): FUNCTION > pmacct.DROM_UNIXTIME does not exist#012" and "You have an error in your > SQL syntax; check the manual that corresponds to your MySQL server > version for the right syntax to use near 'FROM]UNIXTIME(1265882756), > FROM_UNIXTIME(1265882580), 0, '89.184.64.34', '193.17' at line 1#012" > (in first error I see that pmacct missplaced "F" and "D", in second I > see that "." and "]" are misplaced). > > Here is my config: > > ! pmacctd configuration > ! > ! > ! > debug: false > daemonize: true > pidfile: /var/run/pmacctd.pid > syslog: daemon > interface: eth2 > promisc: true > plugin_buffer_size: 1024000 > plugin_pipe_size: 409600000 > aggregate[min]: src_mac, dst_mac, src_host, dst_host > aggregate[min-ids]: src_host, dst_host, dst_port, proto, tcpflags > aggregate[hourly-in]: dst_host > aggregate[hourly-out]: src_host > plugins: mysql[min], mysql[min-ids], mysql[hourly-in], mysql[hourly-out] > networks_file[min]: /etc/pmacct/networks.list > networks_file[hourly-in]: /etc/pmacct/networks.list > networks_file[hourly-out]: /etc/pmacct/networks.list > sql_table[min]: acct > sql_table[min-ids]: acct_ids > sql_table[hourly-in]: acct_base_in > sql_table[hourly-out]: acct_base_out > sql_host: 10.7.10.2 > sql_user: pmacct > sql_passwd: ********** > sql_db: pmacct > sql_table_version[min]: 1 > sql_table_version[min-ids]: 7 > sql_table_version[hourly-in]: 1 > sql_table_version[hourly-out]: 1 > sql_dont_try_update: true > sql_multi_values: 1000000 > sql_locking_style: row > > sql_history_roundoff[min]: m > sql_history[min]: 1m > sql_refresh_time[min]: 60 > sql_history_roundoff[min-ids]: m > sql_history[min-ids]: 1m > sql_refresh_time[min-ids]: 60 > > sql_history_roundoff[hourly-in]: m > sql_history[hourly-in]: 30m > sql_refresh_time[hourly-in]: 1800 > sql_history_roundoff[hourly-out]: m > sql_history[hourly-out]: 30m > sql_refresh_time[hourly-out]: 1800 > sql_recovery_logfile[min]: /var/lib/pmacct/recovery_in_log > sql_recovery_logfile[hourly-in]: /var/lib/pmacct/recovery_log_in_base > sql_recovery_logfile[hourly-out]: /var/lib/pmacct/recovery_log_out_base > > > > -- > WBR > Yavetskiy Yuriy > ULTI-RIPE > _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
