Hi Rich,
I was wondering if you had any log availble from nfacctd; for example,
is it possible that the file 'pretag.map' with no paths supplied is not
found, causing the issue?
Paolo
On Thu, Dec 07, 2023 at 11:34:56PM +0000, Compton, Rich A wrote:
> Hi, hoping that someone can help me with this issue. I am trying to run
> nfacctd in a container and I’m using a pretag.map file to filter only certain
> netflow records. When I remove the “pre_tag_map:” line and
> “pre_tag_label_filter” from the config file, I am able to export the netflow
> records to the mysql database. When I add the same config back in, I get no
> netflow records in my database.
> The same config with the pre_tag_map config seems to work when running
> nfacctd natively on the host OS.
> Anybody have any ideas what the issue is?
> Here’s a sample of my template config file:
>
> daemonize: false
> nfacctd_port: 2055
> nfacctd_time_new: true
> pre_tag_map: pretag.map
> maps_index: true
> maps_entries: 10000
> plugins: mysql[dns], mysql[ntp], mysql[ssdp], mysql[snmp], mysql[chargen],
> mysql[ldap], mysql[portmap]
> aggregate: src_host, src_port, dst_host, dst_port, proto, src_as, dst_as,
> in_iface, out_iface, peer_src_ip
> pre_tag_label_filter[dns]: dns
> aggregate_filter[dns]: dst port 53
> pre_tag_label_filter[ntp]: ntp
> aggregate_filter[ntp]: dst port 123
> pre_tag_label_filter[ssdp]: ssdp
> aggregate_filter[ssdp]: dst port 1900
> pre_tag_label_filter[snmp]: snmp
> aggregate_filter[snmp]: dst port 161
> pre_tag_label_filter[chargen]: chargen
> aggregate_filter[chargen]: dst port 19
> pre_tag_label_filter[ldap]: ldap
> aggregate_filter[ldap]: dst port 389
> pre_tag_label_filter[portmap]: portmap
> aggregate_filter[portmap]: dst port 111
>
> sql_db[dns]: honeypot_feed
> sql_optimize_clauses[dns]: true
> sql_table[dns]: netflow
> sql_host[dns]: ${SQL_HOST}
> sql_passwd[dns]: ${SQL_PASSWORD}
> sql_user[dns]: ${SQL_USER}
> sql_refresh_time[dns]: 10
> sql_history[dns]: 1m
> sql_history_roundoff[dns]: mh
>
> sql_db[ntp]: honeypot_feed
> sql_optimize_clauses[ntp]: true
> sql_table[ntp]: netflow
> sql_host[ntp]: ${SQL_HOST}
> sql_passwd[ntp]: ${SQL_PASSWORD}
> sql_user[ntp]: ${SQL_USER}
> sql_refresh_time[ntp]: 10
> sql_history[ntp]: 1m
> sql_history_roundoff[ntp]: mh
>
> sql_db[snmp]: ${SQL_DATABASE}
> sql_optimize_clauses[snmp]: true
> sql_table[snmp]: netflow
> sql_host[snmp]: ${SQL_HOST}
> sql_passwd[snmp]: ${SQL_PASSWORD}
> sql_user[snmp]: ${SQL_USER}
> sql_refresh_time[snmp]: 10
> sql_history[snmp]: 1m
> sql_history_roundoff[snmp]: mh
>
> sql_db[ssdp]: ${SQL_DATABASE}
> sql_optimize_clauses[ssdp]: true
> sql_table[ssdp]: netflow
> sql_host[ssdp]: ${SQL_HOST}
> sql_passwd[ssdp]: ${SQL_PASSWORD}
> sql_user[ssdp]: ${SQL_USER}
> sql_refresh_time[ssdp]: 10
> sql_history[ssdp]: 1m
> sql_history_roundoff[ssdp]: mh
>
> sql_db[ldap]: ${SQL_DATABASE}
> sql_optimize_clauses[ldap]: true
> sql_table[ldap]: netflow
> sql_host[ldap]: ${SQL_HOST}
> sql_passwd[ldap]: ${SQL_PASSWORD}
> sql_user[ldap]: ${SQL_USER}
> sql_refresh_time[ldap]: 10
> sql_history[ldap]: 1m
> sql_history_roundoff[ldap]: mh
>
> sql_db[chargen]: ${SQL_DATABASE}
> sql_optimize_clauses[chargen]: true
> sql_table[chargen]: netflow
> sql_host[chargen]: ${SQL_HOST}
> sql_passwd[chargen]: ${SQL_PASSWORD}
> sql_user[chargen]: ${SQL_USER}
> sql_refresh_time[chargen]: 10
> sql_history[chargen]: 1m
> sql_history_roundoff[chargen]: mh
>
> sql_db[portmap]: ${SQL_DATABASE}
> sql_optimize_clauses[portmap]: true
> sql_table[portmap]: netflow
> sql_host[portmap]: ${SQL_HOST}
> sql_passwd[portmap]: ${SQL_PASSWORD}
> sql_user[portmap]: ${SQL_USER}
> sql_refresh_time[portmap]: 10
> sql_history[portmap]: 1m
> sql_history_roundoff[portmap]: mh
>
>
> -------cut-------------
> Example of pretag.map file:
> set_label=dns src_net=1.2.3.0/24
> set_label=ntp src_net=1.2.3.0/24
> set_label=snmp src_net=1.2.3.0/24
> set_label=ssdp src_net=1.2.3.0/24
> set_label=chargen src_net=1.2.3.0/24
> set_label=portmap src_net=1.2.3.0/24
> set_label=ldap src_net=1.2.3.0/24
>
>
>
>
> [signature_1767717039]
>
> Rich Compton | Principal Eng | 314.596.2828
> 8560 Upland Drive, Suite B | Englewood, CO 80112
> _______________________________________________
> pmacct-discussion mailing list
> http://www.pmacct.net/#mailinglists
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
