Had an issue using filters in the pretag file.
AnanthGopal opened this issue · comments
Hi Paolo,
We ran into trouble when we used fillers in the pretag file. Take a look at the pmacct config usd below.
daemonize: false nfacctd_port: 9995 nfacctd_time_new: true timestamps_utc: true nfacctd_stitching: true timestamps_secs: true plugins: print[pmacct_9995] aggregate[pmacct_9995]: peer_src_ip, src_host, dst_host, proto, tos,src_port,dst_port, tcpflags pre_tag_map[pmacct_9995]:/etc/pmacct/pmacct_pretag_9995.map pre_tag_filter[pmacct_9995]:100 print_output[pmacct_9995]:csv print_output_file[pmacct_9995]:/etc/pmacct/pmacct_9995/filter/%Y%m%d%H%M.csv print_output_file_append[pmacct_9995]:true print_history_roundoff[pmacct_9995]:m print_refresh_time[pmacct_9995]:2
pretag file configuration
set_tag=100 ip=192.168.220.1 filter='not (src net 0.0.0.0 or src net 10.20.12.2 or dst net 10.88.164.7 or dst net 169.254.109.217 or dst net 10.88.156.5 or dst net 98.137.11.163 or dst net 8.253.150.254 or dst net 255.255.255.255 or src port 0 or dst port 0) and (tcp or udp) and ip'
When the previously mentioned configuration is used, the data is received, but if the pretag file is modified (by adding extra IP addresses src net), the data is not received. For example
set_tag=100 ip=192.168.220.1 filter='not (src net 0.0.0.0 or src net 10.20.12.2 or src net 192.168.50.202 or dst net 10.88.164.7 or dst net 169.254.109.217 or dst net 10.88.156.5 or dst net 98.137.11.163 or dst net 8.253.150.254 or dst net 255.255.255.255 or src port 0 or dst port 0) and (tcp or udp) and ip'
We discovered the problem; if "src net 192.168.50.202" is added to the pretag file, the data is not received.
Version
Output of nfacctd -V:
`NetFlow Accounting Daemon, nfacctd 1.7.7-git [20211107-0 (https://github.com/pmacct/pmacct/commit/ef37a415504c9c3e6afeaecb2f0cce4eb698e648)]
Arguments:
'--enable-mysql' '--enable-pgsql' '--enable-sqlite3' '--enable-kafka' '--enable-geoipv2' '--enable-jansson' '--enable-rabbitmq' '--enable-nflog' '--enable-ndpi' '--enable-zmq' '--enable-avro' '--enable-serdes' '--enable-redis' '--enable-gnutls' 'AVRO_CFLAGS=-I/usr/local/avro/include' 'AVRO_LIBS=-L/usr/local/avro/lib -lavro' '--enable-l2' '--enable-traffic-bins' '--enable-bgp-bins' '--enable-bmp-bins' '--enable-st-bins'
Libs:
cdada 0.3.5
libpcap version 1.8.1
MariaDB 10.3.31
PostgreSQL 110013
sqlite3 3.27.2
rabbimq-c 0.11.0
rdkafka 1.8.2
jansson 2.14
MaxmindDB 1.6.0
ZeroMQ 4.3.2
Redis 1.0.3
GnuTLS 3.6.7
avro-c
serdes
nDPI 3.4.0
netfilter_log
Plugins:
memory
print
nfprobe
sfprobe
tee
mysql
postgresql
sqlite
amqp
kafka
System:
Linux 5.4.17-2136.307.3.1.el8uek.x86_64 https://github.com/pmacct/pmacct/pull/2 SMP Mon May 9 17:29:47 PDT 2022 x86_64
Compiler:
gcc 8.3.0
Same issue got some othe developers.
For you reference
https://www.mail-archive.com/pmacct-discussion@pmacct.net/msg03771.html
Hi @AnanthGopal ,
Did you try the solution pointed in the email you referenced, the maps_row_len
so to fit longer lines of text? Did it not work? In other words, is the issue related to the overall length of the line or to the specific src net 192.168.50.202
part?
Paolo
We verified that the problem is not with the IP address ('src net 192.168.50.202'), but with the lengthier line text.
Great, so did you try setting for example maps_row_len: 1024
in the config?
Grateful. I'll check it out tomorrow because it's late for me.