Hi Paolo, We’re running 1.5.1.
Oddly if I try and run 1.5.0 with identical config, I get RabbitMQ authentication errors.. ERROR ( elk_1min/amqp ): Connection failed to RabbitMQ: login ERROR ( elk_1min/amqp ): Connection failed to RabbitMQ: p_amqp_close() invoked -Rob > On 23 May 2015, at 12:47, Paolo Lucente <[email protected]> wrote: > > Hi Rob, > > I see. Can you confirm which version are you running? If you are > not running a code >= 1.5.1, can you please do so? If you are, can > you check if you get same behaviour with 1.5.0? I'd essentially > like to confirm whether something broke up or got fixed in the last > release. > > Cheers, > Paolo > > On Sat, May 23, 2015 at 10:43:34AM +0100, Rob Greenwood wrote: >> Hi Paolo, >> >> No we currently don’t have prefixes as part of our aggregation. >> networks_file_filter is also not specified in the config. >> >> Adding 'nfacctd_net: fallback' changes the behaviour to be even weirder… >> >> Some (not all) flows are now marked with the correct AS, but only as_dst is >> updated - we still see lots of iBGP prefix flows with as_src as 0. >> >> eBGP prefix flows are no longer set to AS0 with 'nfacctd_net: fallback' >> however. >> >> Config as follows; >> >> ## nfacctd.conf ## >> ! Global daemon >> daemonize: true >> syslog: daemon >> >> ! BGP daemon >> !bgp_daemon: true >> !bgp_daemon_max_peers: 2 >> !bgp_aspath_radius: 3 >> !bgp_daemon_md5_file: /opt/pmacct/etc/bgp_md5.lst >> >> ! Temporarily pull in iBGP networks data from file until BGP is up >> networks_file: /opt/pmacct/etc/networks.lst >> nfacctd_as_new: fallback >> nfacctd_net: fallback >> >> ! Netflow input plugin >> nfacctd_port: 2055 >> nfacctd_disable_checks: true >> >> ! AMQP output daemon >> amqp_host: localhost >> amqp_user: pmacct >> amqp_passwd: xxxx >> amqp_vhost: /pmacct >> amqp_exchange: pmacct >> amqp_persistent_msg: true >> >> ! Plugin definitions >> plugins: amqp[elk_1min] >> >> ! 1 minutely aggregates into ELK via amqp >> aggregate[elk_1min]: src_as, dst_as, src_host, dst_host, src_port, dst_port, >> proto >> amqp_routing_key[elk_1min]: acct >> amqp_history[elk_1min]: 1m >> amqp_time_roundoff[elk_1min]: m >> amqp_refresh_time[elk_1min]: 60 >> >> ## networks.lst ## >> 62212,185.43.216.0/22 >> >> -Rob >> >>> On 23 May 2015, at 10:00, Paolo Lucente <[email protected]> wrote: >>> >>> Hi Rob, >>> >>> To confirm that: what you are verifying is not the intended behaviour & >>> what you describe as your understanding is the intended behaviour instead. >>> >>> It would help to know if you have prefixes as part of your aggregation; >>> if yes, whether they are also zeroed out if not in the networks_file or >>> not. Meanwhile two tests: >>> >>> * add 'nfacctd_net: fallback' to your config >>> * make sure 'networks_file_filter: true' is not set in your config >>> >>> If none of this helps out, can you please post (here or privately) your >>> config so that i can try to reproduce this in lab? >>> >>> Cheers, >>> Paolo >>> >>> On Fri, May 22, 2015 at 09:09:30PM +0100, Rob Greenwood wrote: >>>> Hi, >>>> >>>> We’ve got nfacctd running, collecting IPFIX data from a number of Juniper >>>> MX routers and exporting it into ElasticSearch successfully. >>>> >>>> Our iBGP prefixes have their AS in the netflow data as AS0. I’m trying to >>>> override this by placing our prefixes into a networks.lst, and specifying >>>> the following config: >>>> >>>> networks_file: /opt/pmacct/etc/networks.lst >>>> nfacctd_as_new: fallback >>>> >>>>> From reading the documentation, this should allow me to override prefix >>>>> ASNs from within the networks.lst, but would then fall back to pulling >>>>> the ASN from netflow if the prefix doesn’t exist in network.ls. >>>> >>>> However, the behaviour I’m seeing is that the ASN for my prefixes is being >>>> set correctly, but now every other non-matching network is set to AS0. >>>> >>>> Is this intended behaviour? >>>> >>>> -Rob >>>> >>>> >>>> -- >>>> DataCentred Limited registered in England and Wales no. 05611763 >>> >>> >>>> _______________________________________________ >>>> pmacct-discussion mailing list >>>> http://www.pmacct.net/#mailinglists >>> >>> >>> _______________________________________________ >>> pmacct-discussion mailing list >>> http://www.pmacct.net/#mailinglists >> >> >> -- >> DataCentred Limited registered in England and Wales no. 05611763 > > -- DataCentred Limited registered in England and Wales no. 05611763
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
