Hi Eythor, Your config looks simple and correct. I would have told you to check time on the box where you are running pmacct but you confirmed all is good there so i'm not sure. I'm willing to take a look myself; if that is an option please follow-up by unicast email. As a workaround i can sugest to use 'nfacctd_time_new: true' so to use flow arrival time at the collector as reference for time-binning.
Paolo On Mon, Sep 25, 2017 at 05:19:08PM +0000, Eyþór Ívarsson wrote: > Hi, > > I'm trying to figure out an issue with the aggregation for sql_history > methods for Netflow. > For some reason I run into issues with the stamp_inserted value being way > off and wrong. > > According to my flow the following raw Netflow stream gets a weird > timestamp inserted into the sql. > > The raw flow in nfdump: > Flow Record: > Flags = 0x06 FLOW, Unsampled > export sysid = 1 > size = 60 > first = 1506114959 [2017-09-22 21:15:59] > last = 1506115055 [2017-09-22 21:17:35] > msec_first = 831 > msec_last = 236 > src addr = 192.168.1.143 > dst addr = 192.168.1.255 > src port = 138 > dst port = 138 > fwd status = 0 > tcp flags = 0x00 ...... > proto = 17 UDP > (src)tos = 0 > (in)packets = 2 > (in)bytes = 465 > input = 2 > output = 0 > > This gets inserted into sql with this command: > DEBUG ( in/mysql ): INSERT INTO `acct_in` (stamp_updated, stamp_inserted, > ip_dst, src_port, dst_port, ip_proto, mac_src, mac_dst, ip_src, packets, > bytes) VALUES (FROM_UNIXTIME(1506160141), FROM_UNIXTIME(1501819200), > '192.168.1.255', 0, 0, 'ip', '0:0:0:0:0:0', '0:0:0:0:0:0', '0.0.0.0', 2, > 465) > > So the flow has the flow start value timestamp: 1506114959 ( > 2017-09-22T21:15:59+00:00 in ISO 8601) > But sql insert has been rounded off to 1501819200 ( > 2017-08-04T04:00:00+00:00 in ISO 8601) > > The config I'm running is: > daemonize: false > nfacctd_port: 5678 > aggregate[in]: dst_host > aggregate_filter[in]: dst net 192.168.0.0/16 > print_refresh_time: 30 > plugins: mysql[in] > sql_db: pmacct > sql_host: 127.0.0.1 > sql_table[in]: acct_in > sql_table_version: 1 > sql_passwd: xxx > sql_user: pmacct > sql_refresh_time: 5 > sql_history: 1h > sql_history_roundoff: h > > The time is correct on all machines involved. > > The version I'm running: NetFlow Accounting Daemon, nfacctd 1.6.2-git > (20170401-00+c1) > Built with only mysql enabled. > > Any suggestions on what I could be doing wrong is appreciated :) > > -- > > Regards, > [email protected] > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
