How do we include an aggregate filler for the peer_src_ip parameter?
AnanthGopal opened this issue · comments
Description
Consider the fact that we obtained the data from two separate exporters.
As an example,
-
The first exporter peer source IP address is 1.1.1.1.
-
IP address of the second exporter peer source 1.1.1.2
We configure the PMACCT with RabittMQ, and RabittMQ receives data from the two exporters mentioned above. The data is then captured from RabittMQ and inserted into Postgres. When we insert data into Postgres, we check to see if the peer source IP is 1.1.1.1; otherwise, we skip that record. So the 1.1.1.2 data is unnecessary, yet RabittMQ has those entries. So we intend to use aggregate filter for peer source ip but are unsure how to use peer source ip in aggregate filter.
Below we added some other aggregate filter for protocol, src ip, dst ip . We need to add peer source ip filter
aggregate_filter:(tcp or udp) and not (src net 0.0.0.0 or dst net 255.255.255.255)
Version
Output of nfacctd -V:
`NetFlow Accounting Daemon, nfacctd 1.7.7-git [20211107-0 (https://github.com/pmacct/pmacct/commit/ef37a415504c9c3e6afeaecb2f0cce4eb698e648)]
Arguments:
'--enable-mysql' '--enable-pgsql' '--enable-sqlite3' '--enable-kafka' '--enable-geoipv2' '--enable-jansson' '--enable-rabbitmq' '--enable-nflog' '--enable-ndpi' '--enable-zmq' '--enable-avro' '--enable-serdes' '--enable-redis' '--enable-gnutls' 'AVRO_CFLAGS=-I/usr/local/avro/include' 'AVRO_LIBS=-L/usr/local/avro/lib -lavro' '--enable-l2' '--enable-traffic-bins' '--enable-bgp-bins' '--enable-bmp-bins' '--enable-st-bins'
Libs:
cdada 0.3.5
libpcap version 1.8.1
MariaDB 10.3.31
PostgreSQL 110013
sqlite3 3.27.2
rabbimq-c 0.11.0
rdkafka 1.8.2
jansson 2.14
MaxmindDB 1.6.0
ZeroMQ 4.3.2
Redis 1.0.3
GnuTLS 3.6.7
avro-c
serdes
nDPI 3.4.0
netfilter_log
Plugins:
memory
print
nfprobe
sfprobe
tee
mysql
postgresql
sqlite
amqp
kafka
System:
Linux 5.4.17-2136.307.3.1.el8uek.x86_64 #2 SMP Mon May 9 17:29:47 PDT 2022 x86_64
Compiler:
gcc 8.3.0
`
Your help in this is greatly appreciated.
Hi @AnanthGopal ,
You can't use aggregate_filter
for this because that one can only filter on portions of the original (or re-constructed) packet and the IP address of the exporter is not part of that. You can however use pre_tag_map
and pre_tag_filter
for the job. The exporter IP address can be matched in the map using the ip
keyword, ie.: set_tag=100 ip=1.1.1.2
. The map can be included in the daemon config as pre_tag_map: /path/to/pretag.map
. Finally, the tag 100 can be intercepted and excluded as follows: pre_tag_filter[<plugin name>]: -100
.
Paolo