Hi Dariush,
You are looking for the print_history & companion directives. In order
to have files each containing 5 mins worth of data you can add the
following to your config:
print_history[xxx]: 300
print_history_roundoff[xxx]: m
Cheers,
Paolo
On Thu, May 14, 2015 at 08:29:58PM +0100, Dariush Marsh-Mossadeghi wrote:
> Hi,
>
> I hope that someone here has come across this before, or can point out what
> stupid thing I’m doing (or not doing)
>
> I’ve got an nfacctd instance taking netflow feeds from a pair of Juniper
> MX’s, aggregations to memory and mysql backends are working just fine, so I’m
> pretty sure the basics are OK.
> Now I’m trying to get a file backend to create files with timestamps in the
> names, and regardless of what config options I set all I’m getting is a
> single file with timestamp derived from zero unix time.
>
> the print_output_file config line looks like this:
>
> print_output_file[elsrch]: /opt/pmacct/var/spool/elsrch/%Y%m%d-%H%M.json
>
> and the file it produces looks like this:
>
> $ ls -l
> total 1616
> -rw------- 1 pmacct pmacct 912050 May 14 20:21 19700101-0100.json
> lrwxrwxrwx 1 pmacct pmacct 47 May 14 19:46 latest ->
> /opt/pmacct/var/spool/elsrch/19700101-0100.json
>
> I’m inclined to believe that nfacctd is failing to get the system date
> correctly as not only is the dynamic file naming unhappy , but the
> print_markers config directive is putting a zero at the top of the file.
>
> Below are config, output and log.
> I’ve trawled, the docs, mailing-list archives, and my google-fu has run out.
> Hopefully someone can point me in the right direction.
>
> Thanks
> Dariush
>
>
>
> config (somewhat sanitised) looks like this:
>
> $ cat /opt/pmacct/etc/nfacctd.conf
> ! Global daemon config
> !
> daemonize: true
> logfile: /opt/pmacct/var/log/nfacctd.log
> pidfile: /opt/pmacct/var/run/nfacctd.pid
> files_uid: 666
> files_gid: 666
>
> ! netflow daemon config
> nfacctd_port: 2055
> ! nfacctd_time_new:true is required if sql_dont_try_update:true is in use.
> See CONFIG-KEYS.
> nfacctd_time_new: true
> nfacctd_disable_checks: true
>
> ! global print plugin config
> print_markers: true
>
> ! plugin instances
> plugins: print[elsrch]
>
> ! --- [elsrch] ---
> aggregate[elsrch]: etype, proto, src_host, src_port, dst_host, dst_port,
> timestamp_start, timestamp_end
> print_output_file[elsrch]: /opt/pmacct/var/spool/elsrch/%Y%m%d-%H%M.json
> print_latest_file[elsrch]: /opt/pmacct/var/spool/elsrch/latest
> print_output[elsrch]: json
> print_refresh_time[elsrch]:60
>
>
> The output file, which gets over-written on every cache purge, starts like
> below, note the first line
>
> $ head -n 5 ./spool/elsrch/19700101-0100.json
> --START (0+60)--
> {"timestamp_start": "2015-05-14 20:14:44.225000", "ip_proto": "udp",
> "ip_dst": “x.x.x.x", "ip_src": "x.x.x.x", "etype": "800", "bytes": 62,
> "port_dst": 53, "packets": 1, "port_src": 38242, "timestamp_end": "2015-05-14
> 20:14:44.225000"}
> {"timestamp_start": "2015-05-14 20:14:44.167000", "ip_proto": "udp",
> "ip_dst": "x.x.x.x", "ip_src": "x.x.x.x", "etype": "800", "bytes": 567,
> "port_dst": 53, "packets": 9, "port_src": 29428, "timestamp_end": "2015-05-14
> 20:14:44.168000"}
> {"timestamp_start": "2015-05-14 20:14:43.892000", "ip_proto": "udp",
> "ip_dst": "x.x.x.x", "ip_src": "x.x.x.x", "etype": "800", "bytes": 206,
> "port_dst": 38655, "packets": 2, "port_src": 53, "timestamp_end": "2015-05-14
> 20:14:43.914000"}
> {"timestamp_start": "2015-05-13 10:18:11.534000", "ip_proto": "udp",
> "ip_dst": "x.x.x.x", "ip_src": "x.x.x.x", "etype": "800", "bytes": 268,
> "port_dst": 12839, "packets": 5, "port_src": 12838, "timestamp_end":
> "2015-05-14 20:16:12.636000"}
>
>
> and a log file excerpt for good measure:
>
> May 14 20:14:01 INFO ( elsrch/print ): *** Purging cache - START (PID: 8105)
> ***
> May 14 20:14:01 INFO ( elsrch/print ): *** Purging cache - END (PID: 8105,
> QN: 4138/4138, ET: 0) ***
> May 14 20:15:01 INFO ( elsrch/print ): *** Purging cache - START (PID: 8118)
> ***
> May 14 20:15:01 INFO ( elsrch/print ): *** Purging cache - END (PID: 8118,
> QN: 4192/4192, ET: 0) ***
> May 14 20:16:01 INFO ( elsrch/print ): *** Purging cache - START (PID: 8128)
> ***
> May 14 20:16:01 INFO ( elsrch/print ): *** Purging cache - END (PID: 8128,
> QN: 3225/3225, ET: 0) ***
>
>
>
> _______________________________________________
> pmacct-discussion mailing list
> http://www.pmacct.net/#mailinglists
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
