Hi Falk, you should see something like this in your log: Aug 2 12:34:10 accsrv sfacctd[1839]: WARN ( all/memory ): SUM aggregation is to be used alone. Resetting other aggregation methods.
That prevents the vlan from beeing accounted. The following should work. But it will of course produce more db records. And you need to reimplement the ip_dst field in your table. aggregate[all]:vlan,src_host,dst_host To have the flows filtered for you networks you can implement aggregation filter: aggregate_filter: vlan and net <x.x.x.x/xx> Replace <x.x.x.x/xx> by your network. To lower the number of db records you could split aggregation: plugins: mysql[in], mysql[out] aggregate[in]:vlan,dst_host aggregate[out]:vlan,src_host aggregate_filter[in]:vlan and net <x.x.x.x/xx> aggregate_filter[out]:vlan and net <x.x.x.x/xx> Regards, Bernd ____________________________________ Bernd Bornkessel Network and Security Engineer Systemberatung Axel Dunkel GmbH ____________________________________ > -----Ursprüngliche Nachricht----- > Von: [email protected] [mailto:pmacct-discussion- > [email protected]] Im Auftrag von Falk Brockerhoff > Gesendet: Dienstag, 2. August 2011 11:53 > An: [email protected] > Betreff: [pmacct-discussion] pmacct.conf for aggregated ip based accounting > and vlan information > > Hi, > > I have two core-switches each having a mirror port facing my pmacct server. > I would like, what a surprise, to account all traffic to and from the > servers behind my switches. Additional I would also like to save the vlan > into the database, so that I'm able to get all traffic which belongs to a > specific customer (which has a dedicated vlan). > > My configuration (this one is for the first interface, eth4 - the second > one, for eth5, is identical) looks like this: > > --pmacct-eth4/5.conf-- > daemonize: true > promisc: true > pidfile: /var/run/pmacctd.pid > syslog: daemon > > interface: eth4/5 > > networks_file: /etc/pmacct/network > aggregate[all]: vlan,sum_host > > plugins: mysql[all] > > sql_host: localhost > sql_user: user > sql_passwd: secret > sql_db: database > > sql_table_version: 2 > sql_table: accounting_%Y_%m > sql_table_schema: /etc/pmacct/acct_v2-modified.schema > > sql_refresh_time: 60 > sql_optimize_clauses: true > sql_history: 5m > sql_history_roundoff: m > > --acct_v2-modified.schema-- > CREATE TABLE IF NOT EXISTS accounting_%Y_%m ( > agent_id INT(2) UNSIGNED NOT NULL, > vlan INT(2) UNSIGNED NOT NULL, > ip_src CHAR(15) NOT NULL, > src_port INT(2) UNSIGNED NOT NULL, > dst_port INT(2) UNSIGNED NOT NULL, > packets INT UNSIGNED NOT NULL, > bytes BIGINT UNSIGNED NOT NULL, > stamp_inserted DATETIME NOT NULL, > stamp_updated DATETIME, > PRIMARY KEY (agent_id, vlan, ip_src, stamp_inserted), > KEY vlan (vlan), > KEY ip_src (ip_src), > KEY stamp_updated (stamp_updated) ); > > --network-- > 84.254.64.0/18 > > I have two problems and maybe you can help me: > > 1.) What have I to do, so that pmacct is logging the vlan id, too? Actually > the value is always 0. > > 2.) Does this configuration match all incoming and outgoing traffic? Only > the field ip_src is filled, ip_dst is left blank (so I removed it from the > table). I'm not sure, if traffic in / from all directions is logged. In this > first step, I only need information about traffic from / to ip addresses > within my network. > > Thank you in advance for your help! > > Schönen Gruß aus Duisburg / Regards from Duisburg, > > Falk Brockerhoff > smartTERRA Geschäftsführung / smartTERRA CEO > > -- > Kontaktmöglichkeiten / Postal Address, Contact: > smartTERRA GmbH, Postfach 170353, 47183 Duisburg Telefon 0211-547 610 00, > Telefax 0211-547 610 01 Meine Durchwahl / my phone: 0211-547 610 05 > > Sitz der Gesellschaft / Principal Office: > Vogelsanger Weg 91, 40470 Düsseldorf, Deutschland GF Falk Brockerhoff, > Amtsgericht Düsseldorf HR B 65811 > > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
