Dave/Everyone - there were indeed problems with the syslog facility and now
that we've gotten THAT straightened out, I think I am closer (but NOT there)
to solving the problem with the cfdcollect arts data generation problem.
When cfdcollect is fired up, it logs the following:
Nov 6 12:48:42 dervish cfdcollect[1323]: [I] cfdcollect (version
cflowd-2-1-b1) started with 0 cflowd instances.
Nov 6 12:48:42 dervish cfdcollect[1323]: [I] sleeping for 1000000 seconds.
I understand that this is due to problems with recognizing the cflowd data?
My cfdcollect.conf has the following entries:
system {
logFacility: local6 # Syslog to local6 facility.
dataDirectory: /apps/cflowd-2-1-b1/data/flows
filePrefix: arts
pidFile: /apps/cflowd-2-1-b1/etc/cfdcollect.pid
}
cflowd {
host: localhost
tcpCollectPort: 2056
minPollInterval: 300
}
the raw flows are being written to /apps/cflowd-2-1-b1/data/flows
I have tried both with and without the flows directory (truncating at the
../data above) and both have the same results. The *.pid file seems to be
working...
Can anyone provide insight into why the arts files aren't being created?
Much obliged!
Shery
Shery Zimmerman - Litton PRC
5th Signal TNOC - Design and Performance
DSN 380-4034
> -----Original Message-----
> From: Dave Plonka [SMTP:plonka@doit.wisc.edu]
> Sent: Friday, November 03, 2000 7:05 PM
> To: cflowd@caida.org
> Cc: Zimmerman, Sheryl Ms.; Hamilton, Andrew Mr.
> Subject: Re: help getting started - no data...
>
> On Fri, Nov 03, 2000 at 04:11:57PM +0100, Zimmerman, Sheryl Ms. wrote:
> > Nope, no messages to the syslog (left the LOGFACILITY at local6, did a
> > change to the syslog.conf, to log it to /var/adm/messages and did a kill
> > -HUP pid on the syslogd)
>
> Well, cflowd *is* logging informational messages on startup, so if the
> LOGFACILITY is as local6 then it must be syslog misconfiguration/
> misbehavior that is causing them not to be written to a log file.
>
> Personally, I see them in this "catch all" logfile (under Linux):
>
> *.=info;*.=notice;*.=warn;\
> auth,authpriv.none;\
> cron,daemon.none;\
> mail,news.none -/var/log/messages
>
> Because all "info" messages go there.
>
> > even after the following:
> > % ps -ef | grep cfl
> > szim 11904 1 0 12:54:03 pts/6 0:04 ./cflowdmux
> > /apps/cflowd-2-1-b1/etc/cflowd.conf
> > szim 11906 1 0 12:54:08 pts/6 0:11 ./cflowd
> > /apps/cflowd-2-1-b1/etc/cflowd.conf
> > szim 11908 1 0 12:54:12 pts/6 0:00 ./cfdcollect
> > /apps/cflowd-2-1-b1/etc/cfdcollect.conf
> > szim 12315 488 0 15:03:27 pts/6 0:00 grep cfl
>
> Good, then that your process are up and running.
>
> <snip>
> > flowdump seems to show data:
> > FLOW
> > index: 0xc7ffff
> > router: XXX.XXX.XXX.XXX
> > src IP: XXX.XXX.XXX.XXX
> > dst IP: XXX.XXX.XXX.XXX
> > input ifIndex: 1
> > output ifIndex: 2
> > src port: 53
> > dst port: 2797
> > pkts: 1
> > bytes: 66
> > IP nexthop: XXX.XXX.XXX.XXX
> > start time: Fri Nov 3 15:07:28 2000
> > end time: Fri Nov 3 15:07:28 2000
> > protocol: 17
> > tos: 0
> > src AS: 0
> > dst AS: 0
> > src masklen: 24
> > dst masklen: 0
> > TCP flags: 0x10
> > engine type: 0
> > engine id: 0
> > etc...
>
> That looks good. I think you'll find now that my flowdumper script
> would handle _that_ raw flow just fine too, since you are apparently
> correctly using version 5 flows and collecting all flow fields as
> is indicated by "index: 0xc7ffff".
>
> > One thing I'm confused about though is why protocol is showing up when
> we've
> > set the stanza to just collect flows?
>
> Those fields are all part of the version 5 flow. When you say:
>
> COLLECT: { flows }
>
> you are telling cflowd that you'd like it to retain all available flow
> fields when it re-writes the flows into raw flow files using its own
> format. IMO, this is exactly what you want.
>
> That protocol info is shown when you examine the raw flows has nothing
> to do with whether or not you are accumulating and aggregating counters
> by protocol.
>
> So, at this point I don't see a problem...
> In your previous post it seemed as though you weren't getting flows in
> your raw files, but the flowdump output above shows that it is
> working.
>
> AFAIK, you have these options:
>
> 1) Use cfdcollect and ARTS++ agregation, etc.
> In this case I won't be of much use to you, but others on the list
> can help.
>
> 2) Use FlowScan with it's CampusIO and or SubNetIO reports which use
> RRDtool for counters, aggregation, and graphs.
>
> 3) Do both.
>
> Dave
>
> --
> plonka@doit.wisc.edu http://net.doit.wisc.edu/~plonka ARS:N9HZF
> Madison, WI
> --
> cflowd mailing list
> cflowd@caida.org
-- cflowd mailing list cflowd@caida.org
This archive was generated by hypermail 2b29 : Mon Nov 06 2000 - 06:16:49 PST