> Perhaps you also want to distinguish between internal and external > traffic? You can then do a bit of pre-tagging for that, so a tag of > 1 means traffic is internal whereas a tag of 0 means it's external, > ie.: > > sfacctd.conf: > .. > plugins: mysql[out], mysql[in] > aggregate[out]: tag, src_host > aggregate[in]: tag, dst_host > aggregate_filter[out]: src net <own IP chunk A> .. or src net <own IP chunk Z> > aggregate_filter[in]: dst net <own IP chunk A> .. or dst net <own IP chunk Z> > pre_tag_map: /path/to/pretag.map > .. > > pretag.map: > id=1 filter=( src net <own IP chunk A> .. or src net <own IP chunk Z> ) and ( > dst net <own IP chunk A> .. or dst net > <own IP chunk Z> )
I've tried your config, but I'm getting weird results. When I place the aggregate_filter, I don't receive sflow updates. They seem to be filtered out. I've tweaked it a bit to a working condition, but this setup isn't far from the original one plugin setup. debug: false daemonize: true interface: eth0 sfacctd_ip: 62.148.189.229 sfacctd_port: 6343 plugin_buffer_size: 2048 plugin_pipe_size: 2048000 imt_buckets: 65537 imt_mem_pools_size: 65536 sfacctd_allow_file: /etc/pmacct/sflow_allow.map networks_file: /etc/pmacct/sflow_networks.map pre_tag_map: /etc/pmacct/sfacctd_pretag.map sfacctd_renormalize: true sfacctd_disable_checks: true syslog: local2 sql_table: acct_v7 sql_table_version: 7 sql_host: localhost sql_user: pmacct sql_passwd: ********** sql_optimize_clauses: true sql_history: 1M sql_history_roundoff: m sql_multi_values: 512000 sql_locking_style: table sql_db: pmacct !sql_dont_try_update: false !sql_cache_entries: 2000000 !sql_refresh_time: 60 aggregate[in]: tag, src_host, dst_host aggregate[out]: tag, dst_host, src_host plugins: mysql[out], mysql[in] # cat sflow_networks.map ! local networks 25542,62.148.160.0/19 25542,81.93.48.0/20 25542,94.126.64.0/21 25542,2001:16e8::/32 50208,109.71.0.0/21 # # cat sfacctd_pretag.map id=1 ip=router1 id=2 ip=router2 This setup provides the following information: agent_id, which provides the used router. ip_src, which providers local network ip's, or :: / 0.0.0.0 for external ip_dst, see ip_src :) packets bytes and dates. Disabling the sflow_networks.map provides the real ip_src/ip_dst. But trying to filter this with pre_tag gives me more headache. I tried a filter: id=1 ip=router1 filter='( src net 62.148.160.0/19 or src net 81.93.48.0/20 ) and ( dst net 62.148.160.0/19 or dst net 81.93.48.0/20 )' But traffic from 62.148.160.0/19 to 81.93.48.0/20 isn't tagged with 1, it's getting tagged with 0. So I'm getting confused. -- Met vriendelijke groet, Dennis Koster "I take no responsibility if it formats your server, defrosts your fridge, or touches your cat inappropriately." _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
