Re: [pmacct-discussion] Add pmacct hostname to SQL schema
The "tag" option sounds promising. I will test it. Many thanks, Franz Am 2017-08-22 um 20:01 schrieb Paolo Lucente: I see, thanks for the input. The simplest solution i'd have for you is to use post_tag (or post_tag2), if you are not using tags for anything else. Essentially: you add 'tag' to your 'aggregate' line (and modify your SQL schema to reflect that) and add to your config 'post_tag: X' where X is a positive integer number different for each pmacct server. Would that work for you? Paolo On Tue, Aug 22, 2017 at 05:45:22PM +0200, fboehm wrote: Am 2017-08-22 um 16:45 schrieb Paolo Lucente: Hi Franz, Are you interested in the pmacct server hostname or the IP address of the NetFlow/IPFIX/sFlow exporter? Would peer_src_ip, the IP address of the flow exporter do it? Or you are collecting via libpcap or NFLOG? Paolo On Mon, Aug 21, 2017 at 05:23:34PM +0200, fboehm wrote: Hi, we use pmacct to purge traffic data to a MySQL database for billing purposes. We might need to run multiple pmacct instances to monitor all relevant traffic. It would be most convenient for postprocessing if all pmacct instances could write into the same SQL tables. For example by adding an additional column with the hostname of the pmacct server. Unfortunately I only know how to assign a certain database or table to each pmacct instance. But not how to modifiy the SQL schema to support a hostname or other identifier. Kind regards, Franz ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists Hi Paolo, At the moment we use libpcap instead of netflow. Those there is unfortunately no flow exporter. I used netflow for a while but I like to just rely on a mirrored switch port. I think it's easier to manage in contrast to networking gear with netflow support. Franz ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] Add pmacct hostname to SQL schema
Am 2017-08-22 um 16:45 schrieb Paolo Lucente: Hi Franz, Are you interested in the pmacct server hostname or the IP address of the NetFlow/IPFIX/sFlow exporter? Would peer_src_ip, the IP address of the flow exporter do it? Or you are collecting via libpcap or NFLOG? Paolo On Mon, Aug 21, 2017 at 05:23:34PM +0200, fboehm wrote: Hi, we use pmacct to purge traffic data to a MySQL database for billing purposes. We might need to run multiple pmacct instances to monitor all relevant traffic. It would be most convenient for postprocessing if all pmacct instances could write into the same SQL tables. For example by adding an additional column with the hostname of the pmacct server. Unfortunately I only know how to assign a certain database or table to each pmacct instance. But not how to modifiy the SQL schema to support a hostname or other identifier. Kind regards, Franz ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists Hi Paolo, At the moment we use libpcap instead of netflow. Those there is unfortunately no flow exporter. I used netflow for a while but I like to just rely on a mirrored switch port. I think it's easier to manage in contrast to networking gear with netflow support. Franz ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
[pmacct-discussion] Add pmacct hostname to SQL schema
Hi, we use pmacct to purge traffic data to a MySQL database for billing purposes. We might need to run multiple pmacct instances to monitor all relevant traffic. It would be most convenient for postprocessing if all pmacct instances could write into the same SQL tables. For example by adding an additional column with the hostname of the pmacct server. Unfortunately I only know how to assign a certain database or table to each pmacct instance. But not how to modifiy the SQL schema to support a hostname or other identifier. Kind regards, Franz ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] Audit traffic with pmacct
Am 08.05.2016 um 00:40 schrieb Mik J: Could someone give me some guidelines to reach my goals Hi Mik, I have a comparable use-case but also not 100% working. I'm happy to discuss. In general I learned to start my tests without AGGREGATE_FILTER directive because as the name implies it filters stuff out of your incoming data before aggregation itself happens. Kind regards, Franz ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] pmacct mysql setup
Am 10.03.2016 um 16:40 schrieb Robert Juric: However, I'm confused as to the differences or pros/cons between the table versions? At the beginning I was also confused regarding the table version. If you compare the different files that contain the SQL create statements you will see that higher versions in general simply store more details about the flows. Furthermore there are also options to customize your table layout. This way you can get rid of some columns. But be aware that customized tables use different column names and as far as I know this names are hard-coded. Franz ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] pmacct mysql setup
Am 09.03.2016 um 20:39 schrieb Robert Juric: I think this is because I only ran the v9 MySQL script. I was just a little confused, should I run all the scripts, just v1, or which? Robert, please run the v4 SQL scripts and set "sql_table_version: 4" in your configuration. Maybe you anyway don't need the additional fields that v9-tables provide. In general I'm not sure why it doesn't like the v9 settings. Franz ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] pmacct mysql setup
Am 09.03.2016 um 17:06 schrieb Robert Juric: MySQL runs fine, I see the pmacct DB and the acct_v9 table, but it is empty. Other than that I'm not sure where to go next to get MySQL working. I'm not sure how I would configure credentials or even a remote MySQL server if I were to deploy it differently. Could anyone provide any insight or links to documentation? I used the debug parameter and debugged my SQL configuration this way. It helped me. But depending on your configuration you might have to wait a few minutes until the first data is written from pmacct internal buffer into mysql database. Franz ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] 回覆: Multiple pmacct processes listening at similar interface
Am 27.02.2016 um 17:08 schrieb itria30...@itri.org.tw: > In the end we setup sfacctd listen on a port and nfacctd on the other. But I > am wondering if it's possible to fulfill previous requirement? This feature > is useful for ease (a little bit) of router setting. This would only work if you are running a software that is aware of netflow AND sflow packets. But you are trying to run two separate processes (nfacctd + sfacctd) on a similar UDP port. The first process will open the port and will receive the UDP packets. The second process won't be able to open the same port again and will terminate. Maybe you can find a UDP proxy tool that creates a virtual network interface and duplicates all the traffic towards two separate ports on a virtual network interface (tun0). It wouldn't be very difficult to write such a tool but it would definitely be more work than a router configuration and would introduce new potential problems :) Franz ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] Multiple pmacct processes listening at similar interface
Am 27.02.2016 um 13:06 schrieb itria30...@itri.org.tw: Is there potential risk, such as packet lost to implement a daemon (or modify pmacct) listen to both Netflow and sflow and split them? Libcap is known of packet drop when CPU low (I might be wrong for that community keep improving). I think there is some misunderstanding. Only pmacctd process is using libpcap to capture packets and extract traffic information from this packets. The others (nfacctd and sfacctd) only open network ports and listen for incoming packets. They don't use libpcap. The traffic information for netflow or sflow is provided by a different system. Typically a router or switch. Also called a Netflow Exporter or sometimes Sensor. That means no raw packets are processed by nfacctd or sfacctd. Franz ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
[pmacct-discussion] Multiple pmacct processes listening at similar interface
Hi, I couldn't find a definitive answer on the web regarding following situation: Is it technically ok if multiple pmacct instances listen to the same interface via libpcap? The interface is in promiscuous mode and is getting traffic via a mirrored switch-port. I like it because I don't need to restart all plugins after I changed the configuration of just one plugin. Until now it seems to work but I'm not sure how to check if all pmacct instances are processing 100% of the incoming packets. Maybe such a setup works but isn't described anywhere because it's considered too cpu demanding in high-traffic environments. Thanks, Franz ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
