Hi Paolo, I have been doing more work on this trying to isolate where in the pipeline the cross-talk is happening, and it looks like it's on my RabbitMQ consumer and not nfacctd - apologies! :)
For our POC I'm trying to consume the data with logstash -> elasticsearch, which was supposed to be a quick way to ingest and do some quick modeling with the data. Thanks again, we are excited about bringing scalability to flow collection in our networks, most likely using Riak as a back-end data store. Aaron On Sun, Jan 22, 2017 at 10:16 AM, Paolo Lucente <pa...@pmacct.net> wrote: > > Hi Aaron, > > Thanks for the feedback. I'm unfortunately unable to reproduce the issue > in lab: any chance you can grant me temporary access to the system where > the issue is arising? Or if you are in some containerized environment you > can pass me that? > > Cheers, > Paolo > > On Sat, Jan 21, 2017 at 09:09:25AM -0800, Aaron Finney wrote: > > Hi Paolo, > > > > It's version 1.6.1: > > > > NetFlow Accounting Daemon, nfacctd 1.6.1 (20161001-00+c5). > > > > Thanks, > > > > Aaron > > > > > > > > On Sat, Jan 21, 2017 at 3:57 AM, Paolo Lucente <pa...@pmacct.net> wrote: > > > > > > > > Hi Aaron, > > > > > > Interesting. Can you say what version is this? And if anything before > > > 1.6.1 or (much preferrably) master code on GitHub - can you please try > > > and confirm you experience the same with any of these? > > > > > > Paolo > > > > > > On Fri, Jan 20, 2017 at 07:03:15PM -0800, Aaron Finney wrote: > > > > Hello all, > > > > > > > > I promise I searched the archives exhaustively first... > > > > > > > > We are trying to separate external ingress/egress traffic using > > > > aggregate_filter (config below), but it's not working as expected. > When > > > we > > > > only have one of the sections active and (xv_ext_in OR xv_ext_out) > and > > > > comment out the other, we get exactly the data we expect - only > external > > > > data and either to/from our networks. When we activate both in the > > > config, > > > > we end up with a mix of both, but not exactly the same data. Any help > > > would > > > > be greatly appreciated - thanks! > > > > > > > > > > > > Config: > > > > > > > > daemonize: false > > > > nfacctd_port: 2100 > > > > nfacctd_net: netflow > > > > plugins: amqp[xv_ext_in], amqp[xv_ext_out] > > > > ! > > > > amqp_exchange[xv_ext_in]: netflow-in > > > > amqp_exchange_type[xv_ext_in]: direct > > > > amqp_host[xv_ext_in]: localhost > > > > amqp_refresh_time[xv_ext_in]: 5 > > > > amqp_user[xv_ext_in]: username > > > > amqp_passwd[xv_ext_in]: password > > > > aggregate[xv_ext_in]: peer_src_ip, src_as, dst_as, src_host, > dst_host, > > > > src_port, dst_port, in_iface, out_iface, proto, sampling_rate > > > > aggregate_filter[xv_ext_in]: not (src net (173.241.240.0/20 or > > > 69.6.80.0/20 > > > > or 199.26.53.0/24 or 209.182.128.0/19)) and not net 10.0.0.0/8 > > > > amqp_routing_key[xv_ext_in]: xv_in > > > > ! > > > > amqp_exchange[xv_ext_out]: netflow-out > > > > amqp_exchange_type[xv_ext_out]: direct > > > > amqp_host[xv_ext_out]: localhost > > > > amqp_refresh_time[xv_ext_out]: 5 > > > > amqp_user[xv_ext_out]: username > > > > amqp_passwd[xv_ext_out]: password > > > > aggregate[xv_ext_out]: peer_src_ip, src_as, dst_as, src_host, > dst_host, > > > > src_port, dst_port, in_iface, out_iface, proto, sampling_rate > > > > aggregate_filter[xv_ext_out]: not (dst net (173.241.240.0/20 or > > > 69.6.80.0/20 > > > > or 199.26.53.0/24 or 209.182.128.0/19)) and not net 10.0.0.0/8 > > > > amqp_routing_key[xv_ext_out]: xv_out > > > > > > > _______________________________________________ > > > > pmacct-discussion mailing list > > > > http://www.pmacct.net/#mailinglists > > > > > > > > > _______________________________________________ > > > pmacct-discussion mailing list > > > http://www.pmacct.net/#mailinglists > > > > > > > > > > > -- > > > > *Aaron Finney*Network Engineer | OpenX > > 888 East Walnut Street, 2nd Floor | Pasadena, CA 91101 > > o: +1 (626) 466-1141 x6035 | aaron.fin...@openx.com > > *Advertising Age Best Places to Work > > <http://openx.com/press-releases/openx-named-as-one- > of-advertising-ages-top-fifty-best-places-to-work-for-2015/>* > > *Deloitte's Technology Fast 500™ > > <http://openx.com/press-releases/openx-ranked-3rd- > fastest-growing-software-company-north-america-5th- > fastest-overall-deloittes-2013-technology-fast-500/>* > > www.openx.com <http://www.openx.com/>| Twitter > > <http://twitter.com/openx>| Facebook <http://www.facebook.com/OpenX>| > > LinkedIn <http://www.linkedin.com/company/openx/products>| YouTube > > <http://www.youtube.com/user/openxvideos> > -- *Aaron Finney*Network Engineer | OpenX 888 East Walnut Street, 2nd Floor | Pasadena, CA 91101 o: +1 (626) 466-1141 x6035 | aaron.fin...@openx.com *Advertising Age Best Places to Work <http://openx.com/press-releases/openx-named-as-one-of-advertising-ages-top-fifty-best-places-to-work-for-2015/>* *Deloitte's Technology Fast 500™ <http://openx.com/press-releases/openx-ranked-3rd-fastest-growing-software-company-north-america-5th-fastest-overall-deloittes-2013-technology-fast-500/>* www.openx.com <http://www.openx.com/>| Twitter <http://twitter.com/openx>| Facebook <http://www.facebook.com/OpenX>| LinkedIn <http://www.linkedin.com/company/openx/products>| YouTube <http://www.youtube.com/user/openxvideos>
_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
