Hi guys, I have set up a nfacctd collector, to receive flow info from FortiGate devices (and Cisco as well) in our network.
The NetFlow numbers we get from the FortiGate appear strange though. Having processed everything with Fortinet support, it looks like nfacctd only picks up "octets" and "packets" but misses info from "postOctets" and "postPackets". With Fortinet support, we established a controlled session (isolated file download) and dumped netflow traffic (analyzed by Fortinet) for the entire session. Comparing numbers from the dump and the info that nfacctd stores in the database, the "octets" and "packets" matches exactly. But without getting the "post*" numbers with us, the total traffic does not reflect reality. sFlow with sfacctd works perfectly, but I need NetFlow for all devices. Is this a known problem or am I missing an important part of the configuration for this to work? Configuration looks like this: ----- ! nfacctd configuration ! ! ! daemonize: true syslog: daemon !debug: true pidfile: /var/run/nfacctd.pid ! ! interested in in- and outbound traffic aggregate[netflow1m]: peer_src_ip,src_host,dst_host aggregate[netflow1h]: peer_src_ip,src_host,dst_host ! interested only in normal traffic aggregate_filter[netflow1m]: net 10.0.0.0/8 or net 172.16.0.0/12 or net 192.168.0.0/16 aggregate_filter[netflow1h]: net 10.0.0.0/8 or net 172.16.0.0/12 or net 192.168.0.0/16 ! on this interface interface: eth0 nfacctd_ip: 10.10.10.10 nfacctd_port: 2055 nfacctd_time_new: true !nfacctd_renormalize: true ! ! storage methods plugins: mysql[netflow1m], mysql[netflow1h] !sql_host: localhost !sql_passwd: ! reduce the size of the insert/update clause sql_optimize_clauses: true ! ip addresses as integers sql_num_hosts: true ! locking style sql_locking_style: row sql_table[netflow1m]: netflow1m sql_table[netflow1h]: netflow1h ! refresh the db every 5 minutes sql_refresh_time[netflow1m]: 60 sql_refresh_time[netflow1h]: 300 ! accumulate values in each row for up to an hour sql_history[netflow1m]: 1m sql_history[netflow1h]: 1h ! try updates? sql_dont_try_update[netflow1m]: true sql_dont_try_update[netflow1h]: false ! create new rows on the minute, hour, day boundaries sql_history_roundoff[netflow1m]: m sql_history_roundoff[netflow1h]: h ! ! in case of emergency, log to this file ! DISABLED since it's not supported with BGP primitives (peer_src_ip) aggregate !sql_recovery_logfile: /var/lib/pmacct/recovery_nf_log ! ----- Thanks in advance. /Thomas _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
