Hi Rob, Thanks for confirming. I will start some investigation and will get back to you - privately, just to save all the back/forth nuances of the troubleshooting to the rest of the list.
Cheers, Paolo On Sat, May 23, 2015 at 01:15:53PM +0100, Rob Greenwood wrote: > Hi Paolo, > > Looks like the behaviour is the same in 1.5.0 and 1.5.1. > > -Rob > > > On 23 May 2015, at 13:05, Rob Greenwood <[email protected]> > > wrote: > > > > Ah actually, it’s because 1.5.0 doesn’t support specifying a vhost. > > > > I’ll try it with root vhost and report back. > > > > -Rob > > > >> On 23 May 2015, at 13:03, Rob Greenwood <[email protected]> > >> wrote: > >> > >> Hi Paolo, > >> > >> We’re running 1.5.1. > >> > >> Oddly if I try and run 1.5.0 with identical config, I get RabbitMQ > >> authentication errors.. > >> > >> ERROR ( elk_1min/amqp ): Connection failed to RabbitMQ: login > >> ERROR ( elk_1min/amqp ): Connection failed to RabbitMQ: p_amqp_close() > >> invoked > >> > >> -Rob > >> > >>> On 23 May 2015, at 12:47, Paolo Lucente <[email protected]> wrote: > >>> > >>> Hi Rob, > >>> > >>> I see. Can you confirm which version are you running? If you are > >>> not running a code >= 1.5.1, can you please do so? If you are, can > >>> you check if you get same behaviour with 1.5.0? I'd essentially > >>> like to confirm whether something broke up or got fixed in the last > >>> release. > >>> > >>> Cheers, > >>> Paolo > >>> > >>> On Sat, May 23, 2015 at 10:43:34AM +0100, Rob Greenwood wrote: > >>>> Hi Paolo, > >>>> > >>>> No we currently don’t have prefixes as part of our aggregation. > >>>> networks_file_filter is also not specified in the config. > >>>> > >>>> Adding 'nfacctd_net: fallback' changes the behaviour to be even weirder… > >>>> > >>>> Some (not all) flows are now marked with the correct AS, but only as_dst > >>>> is updated - we still see lots of iBGP prefix flows with as_src as 0. > >>>> > >>>> eBGP prefix flows are no longer set to AS0 with 'nfacctd_net: fallback' > >>>> however. > >>>> > >>>> Config as follows; > >>>> > >>>> ## nfacctd.conf ## > >>>> ! Global daemon > >>>> daemonize: true > >>>> syslog: daemon > >>>> > >>>> ! BGP daemon > >>>> !bgp_daemon: true > >>>> !bgp_daemon_max_peers: 2 > >>>> !bgp_aspath_radius: 3 > >>>> !bgp_daemon_md5_file: /opt/pmacct/etc/bgp_md5.lst > >>>> > >>>> ! Temporarily pull in iBGP networks data from file until BGP is up > >>>> networks_file: /opt/pmacct/etc/networks.lst > >>>> nfacctd_as_new: fallback > >>>> nfacctd_net: fallback > >>>> > >>>> ! Netflow input plugin > >>>> nfacctd_port: 2055 > >>>> nfacctd_disable_checks: true > >>>> > >>>> ! AMQP output daemon > >>>> amqp_host: localhost > >>>> amqp_user: pmacct > >>>> amqp_passwd: xxxx > >>>> amqp_vhost: /pmacct > >>>> amqp_exchange: pmacct > >>>> amqp_persistent_msg: true > >>>> > >>>> ! Plugin definitions > >>>> plugins: amqp[elk_1min] > >>>> > >>>> ! 1 minutely aggregates into ELK via amqp > >>>> aggregate[elk_1min]: src_as, dst_as, src_host, dst_host, src_port, > >>>> dst_port, proto > >>>> amqp_routing_key[elk_1min]: acct > >>>> amqp_history[elk_1min]: 1m > >>>> amqp_time_roundoff[elk_1min]: m > >>>> amqp_refresh_time[elk_1min]: 60 > >>>> > >>>> ## networks.lst ## > >>>> 62212,185.43.216.0/22 > >>>> > >>>> -Rob > >>>> > >>>>> On 23 May 2015, at 10:00, Paolo Lucente <[email protected]> wrote: > >>>>> > >>>>> Hi Rob, > >>>>> > >>>>> To confirm that: what you are verifying is not the intended behaviour & > >>>>> what you describe as your understanding is the intended behaviour > >>>>> instead. > >>>>> > >>>>> It would help to know if you have prefixes as part of your aggregation; > >>>>> if yes, whether they are also zeroed out if not in the networks_file or > >>>>> not. Meanwhile two tests: > >>>>> > >>>>> * add 'nfacctd_net: fallback' to your config > >>>>> * make sure 'networks_file_filter: true' is not set in your config > >>>>> > >>>>> If none of this helps out, can you please post (here or privately) your > >>>>> config so that i can try to reproduce this in lab? > >>>>> > >>>>> Cheers, > >>>>> Paolo > >>>>> > >>>>> On Fri, May 22, 2015 at 09:09:30PM +0100, Rob Greenwood wrote: > >>>>>> Hi, > >>>>>> > >>>>>> We’ve got nfacctd running, collecting IPFIX data from a number of > >>>>>> Juniper MX routers and exporting it into ElasticSearch successfully. > >>>>>> > >>>>>> Our iBGP prefixes have their AS in the netflow data as AS0. I’m trying > >>>>>> to override this by placing our prefixes into a networks.lst, and > >>>>>> specifying the following config: > >>>>>> > >>>>>> networks_file: /opt/pmacct/etc/networks.lst > >>>>>> nfacctd_as_new: fallback > >>>>>> > >>>>>>> From reading the documentation, this should allow me to override > >>>>>>> prefix ASNs from within the networks.lst, but would then fall back to > >>>>>>> pulling the ASN from netflow if the prefix doesn’t exist in > >>>>>>> network.ls. > >>>>>> > >>>>>> However, the behaviour I’m seeing is that the ASN for my prefixes is > >>>>>> being set correctly, but now every other non-matching network is set > >>>>>> to AS0. > >>>>>> > >>>>>> Is this intended behaviour? > >>>>>> > >>>>>> -Rob > >>>>>> > >>>>>> > >>>>>> -- > >>>>>> DataCentred Limited registered in England and Wales no. 05611763 > >>>>> > >>>>> > >>>>>> _______________________________________________ > >>>>>> pmacct-discussion mailing list > >>>>>> http://www.pmacct.net/#mailinglists > >>>>> > >>>>> > >>>>> _______________________________________________ > >>>>> pmacct-discussion mailing list > >>>>> http://www.pmacct.net/#mailinglists > >>>> > >>>> > >>>> -- > >>>> DataCentred Limited registered in England and Wales no. 05611763 > >>> > >>> > >> > > > > > -- > DataCentred Limited registered in England and Wales no. 05611763 _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
