Hi, hoping that someone can help me with this issue. I am trying to run
nfacctd in a container and I’m using a pretag.map file to filter only certain
netflow records. When I remove the “pre_tag_map:” line and
“pre_tag_label_filter” from the config file, I am able to export the netflow
records to the mysql database. When I add the same config back in, I get no
netflow records in my database.
The same config with the pre_tag_map config seems to work when running nfacctd
natively on the host OS.
Anybody have any ideas what the issue is?
Here’s a sample of my template config file:
daemonize: false
nfacctd_port: 2055
nfacctd_time_new: true
pre_tag_map: pretag.map
maps_index: true
maps_entries: 10000
plugins: mysql[dns], mysql[ntp], mysql[ssdp], mysql[snmp], mysql[chargen],
mysql[ldap], mysql[portmap]
aggregate: src_host, src_port, dst_host, dst_port, proto, src_as, dst_as,
in_iface, out_iface, peer_src_ip
pre_tag_label_filter[dns]: dns
aggregate_filter[dns]: dst port 53
pre_tag_label_filter[ntp]: ntp
aggregate_filter[ntp]: dst port 123
pre_tag_label_filter[ssdp]: ssdp
aggregate_filter[ssdp]: dst port 1900
pre_tag_label_filter[snmp]: snmp
aggregate_filter[snmp]: dst port 161
pre_tag_label_filter[chargen]: chargen
aggregate_filter[chargen]: dst port 19
pre_tag_label_filter[ldap]: ldap
aggregate_filter[ldap]: dst port 389
pre_tag_label_filter[portmap]: portmap
aggregate_filter[portmap]: dst port 111
sql_db[dns]: honeypot_feed
sql_optimize_clauses[dns]: true
sql_table[dns]: netflow
sql_host[dns]: ${SQL_HOST}
sql_passwd[dns]: ${SQL_PASSWORD}
sql_user[dns]: ${SQL_USER}
sql_refresh_time[dns]: 10
sql_history[dns]: 1m
sql_history_roundoff[dns]: mh
sql_db[ntp]: honeypot_feed
sql_optimize_clauses[ntp]: true
sql_table[ntp]: netflow
sql_host[ntp]: ${SQL_HOST}
sql_passwd[ntp]: ${SQL_PASSWORD}
sql_user[ntp]: ${SQL_USER}
sql_refresh_time[ntp]: 10
sql_history[ntp]: 1m
sql_history_roundoff[ntp]: mh
sql_db[snmp]: ${SQL_DATABASE}
sql_optimize_clauses[snmp]: true
sql_table[snmp]: netflow
sql_host[snmp]: ${SQL_HOST}
sql_passwd[snmp]: ${SQL_PASSWORD}
sql_user[snmp]: ${SQL_USER}
sql_refresh_time[snmp]: 10
sql_history[snmp]: 1m
sql_history_roundoff[snmp]: mh
sql_db[ssdp]: ${SQL_DATABASE}
sql_optimize_clauses[ssdp]: true
sql_table[ssdp]: netflow
sql_host[ssdp]: ${SQL_HOST}
sql_passwd[ssdp]: ${SQL_PASSWORD}
sql_user[ssdp]: ${SQL_USER}
sql_refresh_time[ssdp]: 10
sql_history[ssdp]: 1m
sql_history_roundoff[ssdp]: mh
sql_db[ldap]: ${SQL_DATABASE}
sql_optimize_clauses[ldap]: true
sql_table[ldap]: netflow
sql_host[ldap]: ${SQL_HOST}
sql_passwd[ldap]: ${SQL_PASSWORD}
sql_user[ldap]: ${SQL_USER}
sql_refresh_time[ldap]: 10
sql_history[ldap]: 1m
sql_history_roundoff[ldap]: mh
sql_db[chargen]: ${SQL_DATABASE}
sql_optimize_clauses[chargen]: true
sql_table[chargen]: netflow
sql_host[chargen]: ${SQL_HOST}
sql_passwd[chargen]: ${SQL_PASSWORD}
sql_user[chargen]: ${SQL_USER}
sql_refresh_time[chargen]: 10
sql_history[chargen]: 1m
sql_history_roundoff[chargen]: mh
sql_db[portmap]: ${SQL_DATABASE}
sql_optimize_clauses[portmap]: true
sql_table[portmap]: netflow
sql_host[portmap]: ${SQL_HOST}
sql_passwd[portmap]: ${SQL_PASSWORD}
sql_user[portmap]: ${SQL_USER}
sql_refresh_time[portmap]: 10
sql_history[portmap]: 1m
sql_history_roundoff[portmap]: mh
-------cut-------------
Example of pretag.map file:
set_label=dns src_net=1.2.3.0/24
set_label=ntp src_net=1.2.3.0/24
set_label=snmp src_net=1.2.3.0/24
set_label=ssdp src_net=1.2.3.0/24
set_label=chargen src_net=1.2.3.0/24
set_label=portmap src_net=1.2.3.0/24
set_label=ldap src_net=1.2.3.0/24
[signature_1767717039]
Rich Compton | Principal Eng | 314.596.2828
8560 Upland Drive, Suite B | Englewood, CO 80112
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
