Hi Paolo,

I am trying to limit netflow aggregates to greater than 100 bytes before insertion into my PG database, but
I can't seem to get it to work. All aggregates are being inserted.

my config:
daemonize: true
debug: false
pidfile: /var/run/nfacctd.pid
syslog: daemon
pre_tag_map: ./my.pretag.map
nfacctd_disable_checks: true
nfacctd_time_new: false
aggregate: tag, src_host, dst_host, src_port, dst_port, proto, tos
plugin_pipe_size: 4096000
plugin_buffer_size: 4096
plugins: pgsql
sql_table: netflow
sql_data: typed
sql_dont_try_update: true
sql_use_copy: true
sql_db: pmacct
sql_host: 127.0.0.1
sql_passwd: arealsmartpwd
sql_user: pmacct
sql_refresh_time: 60
sql_optimize_clauses: true
sql_history: 1m
sql_history_roundoff: m
sql_recovery_logfile: /var/lib/pmacct/recovery_log
sql_preprocess: minb>=100
sql_locking_style: row
sql_cache_entries: 199999
imt_buckets: 65537
imt_mem_pools_size: 1024000
nfacctd_port: 2055

Here is what I get in my table - notice 1173 under 100 bytes.
pmacct=# truncate netflow ;
TRUNCATE TABLE
pmacct=# select count(*),sum(bytes)as bytes,sum(packets)as packets from netflow where agent_id = '246' and bytes <100;
 count | bytes | packets
-------+-------+---------
  1173 | 89321 |    1205
(1 row)

pmacct=# select count(*),sum(bytes)as bytes,sum(packets)as packets from netflow where agent_id = '246';
count |  bytes   | packets
-------+----------+---------
3690 | 63424928 | 105921
(1 row)

Also this is what shows from /var/log/messages
Aug 2 08:06:01 netflow nfacctd[4073]: INFO ( default/pgsql ): *** Purging cache - START (PID: 4073) *** Aug 2 08:06:01 netflow nfacctd[4073]: INFO ( default/pgsql ): *** Purging cache - END (PID: 4073, QN: 3690/3690, ET: 0) ***

               KEY: minb
DESC: check. Aggregates on the queue are evaluated one-by-one; each object is marked valid only if the bytes counter is '>=' minb value. An interesting idea is to set its value to a fraction of the link capacity. Remember that you have also a timeframe reference:
                      the 'sql_refresh_time' seconds. All plugins.

                      For example, given the following parameters:
                      Link Capacity = 8Mbit/s, THreshold = 0.1%, TImeframe = 60s
minb = ((LC / 8) * TI) * TH -> ((8Mbit/s / 8) * 60s) * 0.1% = 60000 bytes.

Given a 8Mbit link, all aggregates which have accounted for at least 60Kb of traffic
                      in the last 60 seconds, will be written to the DB.



Any suggestions?

Thanks,
Steve

_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Reply via email to