On 02/28/2009 07:49:50 AM, Karl O. Pinc wrote:
Bah. All the time I'm spending messing around in shell makes me think I'd be better off extending pmacct.
The attached patch to EXAMPLES explains what I'm talking about. It can be read as a a patch without having to apply it. I'd like some sort of tentative approval before going forward. It must be applied on top of my example.patch just sent. To apply: cd pmacct patch < export.patch Note that should I go forward I may implement pmacct-netd in shell using socat, at least as a first cut. I figure that the imt_listen config declaration syntax could later be extended to something like: imt_listen[in]: 192.168.0.2 In combination with VPN virtual interfaces this could restrict client access to various pmacctd/pmacct sockets. As it is access is all or nothing to the in-memory Unix sockets that are exported over the net. Such a syntax choice would commit pmacct to relying on the network transport layer for security. I think it's a good idea to rely on something like OpenVPN for security. OpenVPN is good at it and provides all sorts of choices (pam, nsswitch, certificates, encryption) that I think make little sense for pmacct to re-impliment. Karl <[email protected]> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein
--- ../pmacct.example/EXAMPLES Sat Feb 28 20:46:43 2009 +++ EXAMPLES Sat Feb 28 22:38:30 2009 @@ -14,6 +14,7 @@ VIII. Quickstart guide to packet/stream classifiers IX. Quickstart guide to setup a NetFlow agent/probe X. Quickstart guide to setup a sFlow agent/probe +XI. Quickstart guide to network client/server (pmacctd/pmacct-netd) I. Plugins included with pmacct distribution @@ -24,8 +25,8 @@ 'memory': data are stored in a tunable memory table and can be fetched via the pmacct client tool, 'pmacct'. It also allows easily - data injection into - tools like GNUplot, MRTG, RRDtool or a Net-SNMP server. + data injection into tools like GNUplot, MRTG, RRDtool or a + Net-SNMP server. 'mysql': an available MySQL database is selected for data storage. 'pgsql': an available PostgreSQL database is selected for data storage. @@ -550,3 +551,73 @@ ! snaplen: 700 !... + +XI. Quickstart guide to network client/server (pmacctd/pmacct-netd) +The sockets created when the pmacctd memory plugin is used need not be +on the same machine as the pmacctd process. The pmacctd daemon serves +as a lightweight network server that uses TCP to feed data to a pmacct +client on a machine that further processes the collected data. + +WARNING: The pmacct software is not secured; network connections are +neither authenticated nor encrypted. If security is desired a +separate and secure network transmission path is required. Various +combinations of endpoint authentication and secrecy can be supplied by +VPN software, such as OpenVPN, and/or by a physically separate and +secure network. + +There are 3 steps involved: + +a) Have pmacctd run as a network server; add at least the first + line (imt_export) to a memory plugin configuration. + +!... +imt_export: true +imt_port: 2222 +imt_listen: 192.168.0.1 +!... + + imt_export defaults to false, the in-memory table sockets are not + exported to the network. + + imt_port defaults to 2222, the port on which pmacctd is to listen. + This default is likely to change in a future pmacctd release. Ports + may be specified by ether /etc/services name or by number. + + imt_listen defaults to *, listen on all available interfaces. It + takes either an IP number or a DNS name. + +b) Run pmacct-netd on the client machine: + + shell> pmacct-netd -s 192.168.0.1 -p 2222 + + Syntax: + pmacct-netd -s|--server host [-p|--port port] + pmacct-netd -h|--help + pmacct-netd -v|--version + + -s|--server host Host running pmacctd. + -p|--port port Port to listen on. Defaults to 2222. + -h|--help Display this help. + -v|--version Display version number. + +c) Run pmacct on the client machine for each socket declared on the + server. + + Supposing the pmacctd server configuration specifies the following + sockets: + +! +daemonize: true +plugins: memory[in], memory[out] +aggregate[in]: dst_host +aggregate[out]: src_host +aggregate_filter[in]: dst net 192.168.0.0/16 +aggregate_filter[out]: src net 192.168.0.0/16 +imt_export: true +imt_path[in]: /tmp/pmacct_in.pipe +imt_path[out]: /tmp/pmacct_out.pipe +! ... + + To show the collected statistics on the client machine run: + shell> pmacct -s -p /tmp/pmacct_in.pipe + shell> pmacct -s -p /tmp/pmacct_out.pipe
_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
