Thank you Paolo!
But would it simply be safe to say that we are not missing any netflow data
if I never see the log line?
# fgrep syslog /etc/pmacct/nfacctd.conf
# fgrep -i expecting /var/log/daemon
That would be my working assumption.
On Sat, Feb 25, 2017 at 7:19 AM, Paolo Lucente <pa...@pmacct.net> wrote:
> Hi Ed,
> The log message produced is actually very simple:
> Log([..] expecting flow '%u' but received '%u' collector=%s:%u agent=%s:%u
> It's a start for some basic analysis but you can get false positives,
> for example due to out of order arrival of packets. In recent pmacct
> releases you have a new primitive, export_proto_seqno, precisely to
> report on sequence numbers. As it can be read in CONFIG-KEYS:
> export_proto_seqno reports about export protocol (NetFlow, sFlow, IPFIX)
> sequence number; due to its potential de-aggregation effect, two main
> use-cases are seen as use of this primitive:
> 1) if using a log type (de-)aggregation method, ie. for security,
> forensics, etc., in addition to existing primitives;
> 2) if using a reporting type aggregation method, it is recommended to
> split this primitive in a separate plugin instance instead for
> sequencing analysis.
> You fall in the use-case #2. You may instantiate a memory or print
> plugins setting the aggregate to 'peer_src_ip, export_proto_seqno'. This
> way you can perform a more contextual analysis over periods of time (ie.
> 1 min).
> On Thu, Feb 23, 2017 at 11:09:19AM -0600, Edward Henigin wrote:
> > I see in the config keys for nfacctd that by default it checks sequence
> > numbers and will log an error if any are missing.
> > [ nfacctd_disable_checks | sfacctd_disable_checks ] [GLOBAL, NO_PMACCTD]
> > Values
> > [true|false]
> > Desc
> > both nfacctd and sfacctd check health of incoming NetFlow/sFlow
> datagrams -
> > actually this is limited to just verifying sequence numbers progression.
> > You may want to disable such feature because of non-standard
> > implementations. By default checks are enabled
> > (default: false)
> > My question: what does that log message look like? I suspect I'm losing
> > flows and I want to check the logs for evidence. I looked in
> > to see if I could tell what the syslog message would look like but I
> > figure out where it's checking the sequence numbers for continuity and
> > logging an error on lost data.
> > Thanks,
> > Ed
> > _______________________________________________
> > pmacct-discussion mailing list
> > http://www.pmacct.net/#mailinglists
> pmacct-discussion mailing list
pmacct-discussion mailing list