Discussion:
[pmacct-discussion] sfacctd aggregate_filter problems
Terry Duchcherer
2018-10-13 20:44:33 UTC
Permalink
I have been banging my head against a wall all day on this problem.

I have two identical configuration files, 1 for nfacctd and 1 for sfacctd. Only difference is the port info they listen to.

nfacctd works perfect with the configuration, sfacctd does not.

Here is the config:

nfacct_port: 2055 or sfacctd_port: 6343 (Depends on which service I start)
plugins: mysql[inbound], mysql[outbound]
sqldb: pmacct
sql_host: localhost
sql_user: pmacct
sql_passwd: **********
sql_table[inbound]: acct_in
sql_table[outbound]: acct_out
aggregate[inbound]: dst_host
aggregate[outbound]: src_host
aggregate_filter[inbound]: dst net (nn.nn.nn.nn/22 or nn.nn.nn.nn/22 or nn.nn.nn.nn/21)
aggregate_filter[outbound]: src net (nn.nn.nn.nn/22 or nn.nn.nn.nn/22 or nn.nn.nn.nn/21)
sql_refresh_time: 60
sql_history: 1M
sql_history_roundoff: h

nfacctd works perfectly, one line for each host in both mysql tables.

sfacctd nothing wrote to the mysql tables.
If I comment out the two aggregate_filter lines, lots of data wrote to the mysql tables including the subnets I want to aggregate.

What could the possible difference be between nfacctd and sfacctd?

Thanks in Advance;
Terry
Paolo Lucente
2018-10-14 08:46:42 UTC
Permalink
Hi Terry,

It is possible that your sFlow exporter captures vlan info (which your
NetFlow exporter does not). In which case the filter should be modified
to reflect that. See:

https://github.com/pmacct/pmacct/blob/master/QUICKSTART#L2466-#L2497

And more specifically this:

https://github.com/pmacct/pmacct/blob/master/QUICKSTART#L2487-#L2491

Paolo
Post by Terry Duchcherer
I have been banging my head against a wall all day on this problem.
I have two identical configuration files, 1 for nfacctd and 1 for sfacctd. Only difference is the port info they listen to.
nfacctd works perfect with the configuration, sfacctd does not.
nfacct_port: 2055 or sfacctd_port: 6343 (Depends on which service I start)
plugins: mysql[inbound], mysql[outbound]
sqldb: pmacct
sql_host: localhost
sql_user: pmacct
sql_passwd: **********
sql_table[inbound]: acct_in
sql_table[outbound]: acct_out
aggregate[inbound]: dst_host
aggregate[outbound]: src_host
aggregate_filter[inbound]: dst net (nn.nn.nn.nn/22 or nn.nn.nn.nn/22 or nn.nn.nn.nn/21)
aggregate_filter[outbound]: src net (nn.nn.nn.nn/22 or nn.nn.nn.nn/22 or nn.nn.nn.nn/21)
sql_refresh_time: 60
sql_history: 1M
sql_history_roundoff: h
nfacctd works perfectly, one line for each host in both mysql tables.
sfacctd nothing wrote to the mysql tables.
If I comment out the two aggregate_filter lines, lots of data wrote to the mysql tables including the subnets I want to aggregate.
What could the possible difference be between nfacctd and sfacctd?
Thanks in Advance;
Terry
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
Terry Duchcherer
2018-10-14 21:26:55 UTC
Permalink
This seems to have solved the problem. I would have never looked for this as there are no vlans on the interfaces where sFlow is enabled.

Thanks very much for the info;
Terry


-----Original Message-----
From: pmacct-discussion <pmacct-discussion-***@pmacct.net> On Behalf Of Paolo Lucente
Sent: Sunday, October 14, 2018 2:47 AM
To: pmacct-***@pmacct.net
Subject: Re: [pmacct-discussion] sfacctd aggregate_filter problems


Hi Terry,

It is possible that your sFlow exporter captures vlan info (which your NetFlow exporter does not). In which case the filter should be modified to reflect that. See:

https://github.com/pmacct/pmacct/blob/master/QUICKSTART#L2466-#L2497

And more specifically this:

https://github.com/pmacct/pmacct/blob/master/QUICKSTART#L2487-#L2491

Paolo
Post by Terry Duchcherer
I have been banging my head against a wall all day on this problem.
I have two identical configuration files, 1 for nfacctd and 1 for sfacctd. Only difference is the port info they listen to.
nfacctd works perfect with the configuration, sfacctd does not.
nfacct_port: 2055 or sfacctd_port: 6343 (Depends on which service I start)
plugins: mysql[inbound], mysql[outbound]
sqldb: pmacct
sql_host: localhost
sql_user: pmacct
sql_passwd: **********
sql_table[inbound]: acct_in
sql_table[outbound]: acct_out
aggregate[inbound]: dst_host
aggregate[outbound]: src_host
aggregate_filter[inbound]: dst net (nn.nn.nn.nn/22 or nn.nn.nn.nn/22 or nn.nn.nn.nn/21)
aggregate_filter[outbound]: src net (nn.nn.nn.nn/22 or nn.nn.nn.nn/22 or nn.nn.nn.nn/21)
sql_refresh_time: 60
sql_history: 1M
sql_history_roundoff: h
nfacctd works perfectly, one line for each host in both mysql tables.
sfacctd nothing wrote to the mysql tables.
If I comment out the two aggregate_filter lines, lots of data wrote to the mysql tables including the subnets I want to aggregate.
What could the possible difference be between nfacctd and sfacctd?
Thanks in Advance;
Terry
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Loading...