-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Donnelly, Michael (OFT) wrote:
> I'm sorry if I'm not being clear..
>
> For shadow profiles. I have a empty graphs and statistics grids
> full of zeros .. generating a report by moving the slider around
> on the blank graph pulls data from that time period.
>
> for continuous profile The graphs are empty, and the statistics
> grid beneath the graph holds all xxx's. Generating a report
> by moving the slider around on the blank graph produces
> file-not-found errors..
You definitely have a problem with nfprofile! Obviously it does not properly
run with your linked librrd.
Check the environment your nfsend process is running and has all proper
settings to load all required libraries.
- Peter
>
> Also note botnet plugin produces the following every five minutes
> Error reading statinfo of 'botnets': No flow file for requested time slot
>
> Attached screenshot of shadow profile.. wierd
>
>
>
> -----Original Message-----
> From: Peter Haag [mailto:[email protected]]
> Sent: Tuesday, June 23, 2009 3:02 PM
> To: Donnelly, Michael (OFT)
> Cc: [email protected]
> Subject: Re: [Nfsen-discuss] Recreate / Reinitialize RRD files.. Channel Info
> File Missing?
>
>
>
> Donnelly, Michael (OFT) wrote:
>> Peter, Thank you for your guidance..
>
>> 'nfprofile -h' returns help info as expected..
>> 'ldd nfprofile' show all libs, including librrd.so.2
>> nfdump -Z against all filters returns fast and quiet
>> 'nfsen -r live' behaves normal / as expected..
>> 'nfsen -r ServerNets' returns one of these for each/every channel.
>> ERR Error reading channel stat information. Missing key 'first'
>
>> I can create a new profile now, and the new profile mis-behaves the same
>> way ..
>
> As I said - this is not a 'mis-behaving' set an expire time and this messages
> is gone!
> The imprtant issue is, that your profiles do work. Ignore channel messages
> like these.
>
> - Peter
>
>> Thanks !
>
>> -----Original Message-----
>> From: Peter Haag [mailto:[email protected]]
>> Sent: Tuesday, June 23, 2009 1:29 PM
>> To: Donnelly, Michael (OFT)
>> Cc: [email protected]
>> Subject: Re: [Nfsen-discuss] Recreate / Reinitialize RRD files.. Channel
>> Info File Missing?
>
>> Hi Michael,
>> First - there is no reason to panic! I've upgraded more than one system to
>> 64bit - and it works. :)
>
>> Donnelly, Michael (OFT) wrote:
>>> What does this tell me about my troubles?
>>> " nfsen[13856]: Channel info file missing for channel .... "
>> This is no reason for problems. It simply tells you, that you have not set
>> any expire limits on that profile. "Missing"
>> does not mean necessarily "bad".
>
>> 1. Make sure nfprofile is correctly compiled. Run nfprofile on the command
>> line to see, if it's properly linked with lib
>> rrd: ./nfprofile -h
>> 2. If so verify all your channels:
>
>> cd $PROFILESTATDIR ( whatever you have set in nfsen.conf for $PROFILESTATDIR
>> )
>> Run this command:
>> find . -name \*filter.txt -exec nfdump -Z -f {} \;
>
>> This verifies all your filters - just to make sure everything is clean. Very
>> old installations had an inconsistency in
>> filter and accepted undocumented filter syntax such as 'srcport' which is
>> syntactically wrong.
>> Make sure this filer check completes with any error output. Fix filters, if
>> required.
>
>> If the command above completes you may rebuild the profiles with 'channel
>> missing' errors although not strictly required:
>
>> ./nfsen -r ServerNets
>
>> Again - if you have a very old installation, you may want to do that for
>> every profile - it does not harm, but needs
>> some time to do:
>> in bourne shell and friends:
>> sh-3.2$ for profile in `bin/nfsen -A`; do echo Rebuilding $profile;
>> bin/nfsen -r $profile; done
>
>> for shadow profiles, nfsen spews an error - it can be ignored of course.
>
>> Afterall nfsen should be in sync again.
>
>> Hope this helps, otherwise come back.
>
>> - Peter
>
>
>>> My "live" profile is working fine and tracking all data , but shadow
>>> profiles and graphs never track any data just empty repositories and
>>> blank graphs .. The above message is one of a set.. I get one for each
>>> router ..
>>> "RouteReflect1" is a valid router in , and a member of my live profile..
>>> I'm very much regretting upgrading to 64bit, but needed to exceed the per
>>> user
>>> memory limits posed in 32bit. I'm running RHEL 5.3 x86_64
>>> I've recompiled all binaries involved and am running the latest
>>> nfdump/nfsen code.
>>> Since my move to 64bit i've got a live profile working normally, but no new
>>> profiles or alerts or plugins behave.
>>> local3 10:50:23 nfsen[9253]: End expire at Tue Jun 23
>>> 10:50:00 2009
>>> local3 10:50:23 nfsen[9253]: Expire profile live group .
>>> low water mark: 75%%
>>> local3 10:50:22 nfsen[9253]: Expire profile Cookie group .
>>> low water mark: 75%%
>>> local3 10:50:22 nfsen[9253]: Run expire at Tue Jun 23
>>> 10:50:00 2009
>>> local3 10:50:22 nfsen[9253]: Error reading statinfo of
>>> 'botnets': No flow file for requested time slot
>>> local3 10:50:22 nfsen[9253]: Process alert 'botnets'
>>> local3 10:50:22 nfsen[9622]: Plugin Cycle: Time:
>>> 200906231045, Profile: live, Group: ., Module: Events,
>>> local3 10:50:21 nfsen[9253]: Update profile live in group .
>>> local3 10:50:20 nfsen[9253]: Update profile ServerNets in
>>> group .
>>> local3 10:50:19 nfsen[9253]: Update profile Pookie in group
>>> .
>>> local3 10:50:19 nfsen[9253]: Channel info file missing for
>>> channel 'Routerwing' in './Mookie'
>>> local3 10:50:19 nfsen[9253]: Channel info file missing for
>>> channel 'Router100sen' in './Mookie'
>>> local3 10:50:19 nfsen[9253]: Channel info file missing for
>>> channel 'RouteReflect1' in './Mookie'
>>> local3 10:50:19 nfsen[9253]: Channel info file missing for
>>> channel 'RouterWarner' in './Mookie'
>>> local3 10:50:19 nfsen[9253]: Channel info file missing for
>>> channel 'Router2laf' in './Mookie'
>>> local3 10:50:19 nfsen[9253]: Channel info file missing for
>>> channel 'Routerwpl' in './Mookie'
>>> local3 10:50:19 nfsen[9253]: Channel info file missing for
>>> channel 'Routerc22' in './Mookie'
>>> local3 10:50:19 nfsen[9253]: Channel info file missing for
>>> channel 'Routercap' in './Mookie'
>>> local3 10:50:18 nfsen[9253]: Channel info file missing for
>>> channel 'Router15met' in './Mookie'
>>> local3 10:50:18 nfsen[9253]: Channel info file missing for
>>> channel 'Routeratt' in './Mookie'
>>> local3 10:50:18 nfsen[9253]: Channel info file missing for
>>> channel 'Routercogent' in './Mookie'
>>> local3 10:50:18 nfsen[9253]: Channel info file missing for
>>> channel 'RouterG_Tech' in './Mookie'
>>> local3 10:50:18 nfsen[9253]: Update profile Mookie in group
>>> .
>>> local3 10:50:17 nfsen[9253]: Update profile Dookie in group
>>> .
>>> local3 10:50:17 last message repeated 11 times
>>> local3 10:50:17 nfsen[9253]: Error reading channel stat
>>> information. Missing key 'first'
>>> local3 10:50:16 nfsen[9253]: Update profile Cookie in group
>>> .
>>> local3 10:50:15 nfsen[9253]: 50 channels/alerts to profile
>>> daemon 10:50:10 /usr/local/bin/nfcapd[9218]: Total ignored
>>> packets: 0
>>> daemon 10:50:10 /usr/local/bin/nfcapd[9218]: Ident:
>>> 'RouterG_Tech' Flows: 24, Packets: 183, Bytes: 10974, Sequence Errors: 12,
>>> Bad Packets: 0
>>> daemon 10:50:05 /usr/local/bin/nfcapd[9239]: Total ignored
>>> packets: 0
>>> daemon 10:50:05 /usr/local/bin/nfcapd[9239]: Ident:
>>> 'Router2laf' Flows: 769, Packets: 5087637, Bytes: 2256297523, Sequence
>>> Errors: 0, Bad Packets: 0
>>> daemon 10:50:02 /usr/local/bin/nfcapd[9230]: Total ignored
>>> packets: 0
>>> daemon 10:50:02 /usr/local/bin/nfcapd[9230]: Ident:
>>> 'Routercap' Flows: 12644, Packets: 8721169, Bytes: 3308263407, Sequence
>>> Errors: 0, Bad Packets: 0
>>> daemon 10:50:01 /usr/local/bin/nfcapd[9227]: Total ignored
>>> packets: 0
>>> daemon 10:50:01 /usr/local/bin/nfcapd[9227]: Ident:
>>> 'Routerc22' Flows: 11937, Packets: 11231279, Bytes: 5472391616, Sequence
>>> Errors: 0, Bad Packets: 0
>>> daemon 10:50:01 /usr/local/bin/nfcapd[9251]: Total ignored
>>> packets: 0
>>> daemon 10:50:01 /usr/local/bin/nfcapd[9251]: Ident:
>>> 'Router100sen' Flows: 1048, Packets: 1674423, Bytes: 936777615, Sequence
>>> Errors: 0, Bad Packets: 0
>>> daemon 10:50:00 /usr/local/bin/nfcapd[9224]: Total ignored
>>> packets: 0
>>> daemon 10:50:00 /usr/local/bin/nfcapd[9224]: Ident:
>>> 'Router15met' Flows: 6644, Packets: 4546867, Bytes: 2135841733, Sequence
>>> Errors: 0, Bad Packets: 0
>>> daemon 10:50:00 /usr/local/bin/nfcapd[9245]: Total ignored
>>> packets: 0
>>> daemon 10:50:00 /usr/local/bin/nfcapd[9245]: Ident:
>>> 'RouteReflect1' Flows: 0, Packets: 0, Bytes: 0, Sequence Errors: 0, Bad
>>> Packets: 0
>>> daemon 10:50:00 /usr/local/bin/nfcapd[9242]: Total ignored
>>> packets: 0
>>> daemon 10:50:00 /usr/local/bin/nfcapd[9242]: Ident:
>>> 'TimeWarner' Flows: 295980, Packets: 7668673, Bytes: 5035803183, Sequence
>>> Errors: 0, Bad Packets: 0
>>> daemon 10:50:00 /usr/local/bin/nfcapd[9248]: Total ignored
>>> packets: 0
>>> daemon 10:50:00 /usr/local/bin/nfcapd[9248]: Ident:
>>> 'Routerbwing' Flows: 278310, Packets: 5924814, Bytes: 5642547873, Sequence
>>> Errors: 0, Bad Packets: 0
>>> daemon 10:50:00 /usr/local/bin/nfcapd[9236]: Total ignored
>>> packets: 0
>>> daemon 10:50:00 /usr/local/bin/nfcapd[9236]: Ident:
>>> 'Routerwpl' Flows: 4582, Packets: 1665665, Bytes: 689980205, Sequence
>>> Errors: 0, Bad Packets: 0
>>> daemon 10:50:00 /usr/local/bin/nfcapd[9233]: Total ignored
>>> packets: 0
>>> daemon 10:50:00 /usr/local/bin/nfcapd[9233]: Ident:
>>> 'Routeratt' Flows: 238200, Packets: 3813227, Bytes: 1356438479, Sequence
>>> Errors: 0, Bad Packets: 0
>>> daemon 10:50:00 /usr/local/bin/nfcapd[9221]: Total ignored
>>> packets: 0
>>> daemon 10:50:00 /usr/local/bin/nfcapd[9221]: Ident:
>>> 'Routercogent' Flows: 732270, Packets: 16143537, Bytes: 7453599742,
>>> Sequence Errors: 0, Bad Packets: 0
>>> Thanks
>>> This e-mail, including any attachments, may be confidential, privileged or
>>> otherwise legally protected. It is intended only for the addressee. If you
>>> received this e-mail in error or from someone who was not authorized to
>>> send it to you, do not disseminate, copy or otherwise use this e-mail or
>>> its attachments. Please notify the sender immediately by reply e-mail and
>>> delete the e-mail from your system.
>
>>> ------------------------------------------------------------------------------
>>> Are you an open source citizen? Join us for the Open Source Bridge
>>> conference!
>>> Portland, OR, June 17-19. Two days of sessions, one day of unconference:
>>> $250.
>>> Need another reason to go? 24-hour hacker lounge. Register today!
>>> http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org
>>> _______________________________________________
>>> Nfsen-discuss mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Nfsen-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
- ------------------------------------------------------------------------
- ------------------------------------------------------------------------
- ------------------------------------------------------------------------------
- ------------------------------------------------------------------------
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
E-mail: [email protected] Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iQCVAwUBSkHoWP5AbZRALNr/AQIJTQQAmMOOCaj9JS4B19krka2cqPaj6zRbAG0B
DZUOg5l/aXyQJUy5slhCmlrtGGRRP928uAT/P4Q9rwOSTMqm6KUUXnSP3b1sTE6S
K5w3xK0NQGZFFHGvfwCKvxpXB4837sp+mLScIHmTzm5sWQuPqvY9RT7hkcDAQwwC
u/T821/LWYI=
=Qx5P
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
