Hi,

I'm trying to figure out an issue with the aggregation for sql_history
methods for Netflow.
For some reason I run into issues with the stamp_inserted value being way
off and wrong.

According to my flow the following raw Netflow stream gets a weird
timestamp inserted into the sql.

The raw flow in nfdump:
Flow Record:
  Flags        =              0x06 FLOW, Unsampled
  export sysid =                 1
  size         =                60
  first        =        1506114959 [2017-09-22 21:15:59]
  last         =        1506115055 [2017-09-22 21:17:35]
  msec_first   =               831
  msec_last    =               236
  src addr     =     192.168.1.143
  dst addr     =     192.168.1.255
  src port     =               138
  dst port     =               138
  fwd status   =                 0
  tcp flags    =              0x00 ......
  proto        =                17 UDP
  (src)tos     =                 0
  (in)packets  =                 2
  (in)bytes    =               465
  input        =                 2
  output       =                 0

This gets inserted into sql with this command:
DEBUG ( in/mysql ): INSERT INTO `acct_in` (stamp_updated, stamp_inserted,
ip_dst, src_port, dst_port, ip_proto, mac_src, mac_dst, ip_src, packets,
bytes) VALUES (FROM_UNIXTIME(1506160141), FROM_UNIXTIME(1501819200),
'192.168.1.255', 0, 0, 'ip', '0:0:0:0:0:0', '0:0:0:0:0:0', '0.0.0.0', 2,
465)

So the flow has the flow start value timestamp: 1506114959 (
2017-09-22T21:15:59+00:00 in ISO 8601)
But sql insert has been rounded off to 1501819200 (
2017-08-04T04:00:00+00:00 in ISO 8601)

The config I'm running is:
daemonize: false
nfacctd_port: 5678
aggregate[in]: dst_host
aggregate_filter[in]: dst net 192.168.0.0/16
print_refresh_time: 30
plugins: mysql[in]
sql_db: pmacct
sql_host: 127.0.0.1
sql_table[in]: acct_in
sql_table_version: 1
sql_passwd: xxx
sql_user: pmacct
sql_refresh_time: 5
sql_history: 1h
sql_history_roundoff: h

The time is correct on all machines involved.

The version I'm running: NetFlow Accounting Daemon, nfacctd 1.6.2-git
(20170401-00+c1)
Built with only mysql enabled.

Any suggestions on what I could be doing wrong is appreciated :)

-- 

Regards,
eyth...@omg.is
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Reply via email to