Hi Ed, Yes, absolutely!
Paolo On Mon, Feb 27, 2017 at 09:34:16AM -0600, Edward Henigin wrote: > Thank you Paolo! > > But would it simply be safe to say that we are not missing any netflow data > if I never see the log line? > > # fgrep syslog /etc/pmacct/nfacctd.conf > syslog: daemon > # fgrep -i expecting /var/log/daemon > # > > That would be my working assumption. > > Thanks, > > Ed > > On Sat, Feb 25, 2017 at 7:19 AM, Paolo Lucente <pa...@pmacct.net> wrote: > > > > > Hi Ed, > > > > The log message produced is actually very simple: > > > > Log([..] expecting flow '%u' but received '%u' collector=%s:%u agent=%s:%u > > [..]); > > > > It's a start for some basic analysis but you can get false positives, > > for example due to out of order arrival of packets. In recent pmacct > > releases you have a new primitive, export_proto_seqno, precisely to > > report on sequence numbers. As it can be read in CONFIG-KEYS: > > > > export_proto_seqno reports about export protocol (NetFlow, sFlow, IPFIX) > > sequence number; due to its potential de-aggregation effect, two main > > use-cases are seen as use of this primitive: > > > > 1) if using a log type (de-)aggregation method, ie. for security, > > forensics, etc., in addition to existing primitives; > > > > 2) if using a reporting type aggregation method, it is recommended to > > split this primitive in a separate plugin instance instead for > > sequencing analysis. > > > > You fall in the use-case #2. You may instantiate a memory or print > > plugins setting the aggregate to 'peer_src_ip, export_proto_seqno'. This > > way you can perform a more contextual analysis over periods of time (ie. > > 1 min). > > > > Cheers, > > Paolo > > > > On Thu, Feb 23, 2017 at 11:09:19AM -0600, Edward Henigin wrote: > > > I see in the config keys for nfacctd that by default it checks sequence > > > numbers and will log an error if any are missing. > > > > > > [ nfacctd_disable_checks | sfacctd_disable_checks ] [GLOBAL, NO_PMACCTD] > > > Values > > > > > > [true|false] > > > Desc > > > > > > both nfacctd and sfacctd check health of incoming NetFlow/sFlow > > datagrams - > > > actually this is limited to just verifying sequence numbers progression. > > > You may want to disable such feature because of non-standard > > > implementations. By default checks are enabled > > > > > > (default: false) > > > > > > > > > My question: what does that log message look like? I suspect I'm losing > > > flows and I want to check the logs for evidence. I looked in > > src/nfacctd.c > > > to see if I could tell what the syslog message would look like but I > > can't > > > figure out where it's checking the sequence numbers for continuity and > > > logging an error on lost data. > > > > > > Thanks, > > > > > > Ed > > > > > _______________________________________________ > > > pmacct-discussion mailing list > > > http://www.pmacct.net/#mailinglists > > > > > > _______________________________________________ > > pmacct-discussion mailing list > > http://www.pmacct.net/#mailinglists > > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
