Re: [pmacct-discussion] pmacct-to-elasticsearch

Mon, 22 Dec 2014 14:41:59 -0800 

I too use pmacct to insert data into ElasticSearch..

One super helpful thing that Paolo added in CVS a few weeks ago is a
command line option to return how many seconds it's been since the IMT
has been cleared.. This allows you to calculate a BPS/PPS value to
insert (or for DoS detection, etc).

Here we use perl to do it with a few subs like:

# Returns JSON
sub retrieve_flows {
        my $pmacctbin = shift;
        my $pipe = shift;
        my $primitive = shift;
        my $filter = shift;
        my @flows = `$pmacctbin -p $pipe -l -O json -c "$primitive" -M
"$filter"`;
        return @flows;
}

sub clear_flows {
        my $pmacctbin = shift;
        my $pipe = shift;
        my $flows = `$pmacctbin -l -p $pipe -e`
}

sub get_flow_duration {
        my $pmacctbin = shift;
        my $pipe = shift;
        my $duration = `$pmacctbin -p $pipe -i`;
        chomp($duration);
        if ($duration =~ /never/i || $duration > 518400) {
                # if this returns never, return 24 hours to make
everything low bitrate
               $duration = 518400;
        } elsif ($duration < 60) {
               $duration = 60;
        }
        return $duration;
}

I also do all of the insertion from Perl, which lets me do things like
cache a copy of all ifindexes of routers that are classified from our
NMS, tag this, etc..

--
Tim

On Mon, Dec 22, 2014 at 12:47 PM, Pier Carlo Chiodi <pie...@pierky.com> wrote:
> Hello,
>
> I wish to share here a script that I made in the hope that it will be
> helpful to whoever might be involved in pmacct / ElasticSearch / Kibana
> integration.
>
> It's pmacct-to-elasticsearch
> (https://github.com/pierky/pmacct-to-elasticsearch); as you can easily guess
> it reads pmacct output and sends it to ElasticSearch for indexing. More
> details on the GitHub page.
>
> A simple setup guide is available on my blog:
> http://blog.pierky.com/integration-of-pmacct-with-elasticsearch-and-kibana
>
> Please consider it as a beta version; I will be happy to hear feedback from
> anyone who wants to test it.
>
> Regards,
>
> --
> Pier Carlo Chiodi
> http://pierky.com/aboutme
>
>
> _______________________________________________
> pmacct-discussion mailing list
> http://www.pmacct.net/#mailinglists

_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Reply via email to