uacctd don't log trafic

[pzelektron]

Hi.
I want to use uacctd to log in to postgres.
This is my iptables :
iptables -I FORWARD ! -i eth0 -m state --state NEW -p tcp -j NFLOG --nflog-prefix 5

It seams to works :

iptables -L FORWARD -nv
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   40  2400 NFLOG      6    --  !eth0  *       0.0.0.0/0            0.0.0.0/0            state NEW nflog-prefix 5

This is my uacctd.conf

uacctd_group: 5
!daemonize: true
!
! interested in in and outbound traffic
aggregate: src_host, dst_host , src_port, dst_port, proto,timestamp_start

#plugins: print
#print_refresh_time: 10

!
! storage methods
plugins: pgsql
sql_host:  192.168.0.234
sql_user: uacctd
sql_db: uacctd
sql_passwd: ******
sql_table_version: 1

sql_refresh_time: 30
timestamps_secs: true
sql_history: 1m
sql_history_roundoff: m
sql_dont_try_update: true

This is debug log :

uacctd -d -f uacctd.conf
DEBUG: [uacctd.conf] plugin name/type: 'default'/'core'.
DEBUG: [uacctd.conf] plugin name/type: 'default_pgsql'/'pgsql'.
DEBUG: [uacctd.conf] uacctd_group:5
DEBUG: [uacctd.conf] aggregate:src_host, dst_host , src_port, dst_port, proto,timestamp_start
DEBUG: [uacctd.conf] sql_host:192.168.0.234
DEBUG: [uacctd.conf] sql_user:uacctd
DEBUG: [uacctd.conf] sql_db:uacctd
DEBUG: [uacctd.conf] sql_passwd:*****
DEBUG: [uacctd.conf] sql_table_version:1
DEBUG: [uacctd.conf] sql_refresh_time:30
DEBUG: [uacctd.conf] timestamps_secs:true
DEBUG: [uacctd.conf] sql_history:1m
DEBUG: [uacctd.conf] sql_history_roundoff:m
DEBUG: [uacctd.conf] sql_dont_try_update:true
DEBUG: [uacctd.conf] debug:true
INFO ( default/core ): Linux NetFilter NFLOG Accounting Daemon, uacctd (RELEASE)
INFO ( default/core ):  '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=${prefix}/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' '--with-pgsql-includes=/usr/include/postgresql' '--enable-l2' '--enable-ipv6' '--enable-plabel' '--enable-mysql' '--enable-pgsql' '--enable-sqlite3' '--enable-rabbitmq' '--enable-zmq' '--enable-kafka' '--enable-geoipv2' '--enable-jansson' '--enable-64bit' '--enable-threads' '--enable-traffic-bins' '--enable-bgp-bins' '--enable-bmp-bins' '--enable-st-bins' '--enable-nflog' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-fcommon' 'LDFLAGS=-Wl,-z,relro' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -ffile-prefix-map=/build/pmacct-Gh56jN/pmacct-1.7.7=. -fstack-protector-strong -Wformat -Werror=format-security'
INFO ( default/core ): Reading configuration file '/etc/pmacct/uacctd.conf'.
INFO ( default_pgsql/pgsql ): plugin_pipe_size=4096000 bytes plugin_buffer_size=456 bytes
INFO ( default_pgsql/pgsql ): ctrl channel: obtained=212992 bytes target=71856 bytes
INFO ( default/core ): Successfully connected Netlink NFLOG socket
INFO ( default_pgsql/pgsql ): cache entries=32771 base cache memory=13680736 bytes
INFO ( default_pgsql/pgsql ): *** Purging cache - START (PID: 4127) ***
INFO ( default_pgsql/pgsql ): *** Purging cache - END (PID: 4127, QN: 0/0, ET: X) ***
INFO ( default_pgsql/pgsql ): *** Purging cache - START (PID: 4132) ***
INFO ( default_pgsql/pgsql ): *** Purging cache - END (PID: 4132, QN: 0/0, ET: X) ***
INFO ( default_pgsql/pgsql ): *** Purging cache - START (PID: 4135) ***
INFO ( default_pgsql/pgsql ): *** Purging cache - END (PID: 4135, QN: 0/0, ET: X) ***
INFO ( default_pgsql/pgsql ): *** Purging cache - START (PID: 4138) ***
INFO ( default_pgsql/pgsql ): *** Purging cache - END (PID: 4138, QN: 0/0, ET: X) ***
INFO ( default_pgsql/pgsql ): *** Purging cache - START (PID: 4142) ***
INFO ( default_pgsql/pgsql ): *** Purging cache - END (PID: 4142, QN: 0/0, ET: X) ***
INFO ( default_pgsql/pgsql ): *** Purging cache - START (PID: 4145) ***
INFO ( default_pgsql/pgsql ): *** Purging cache - END (PID: 4145, QN: 0/0, ET: X) ***
INFO ( default_pgsql/pgsql ): *** Purging cache - START (PID: 4148) ***
INFO ( default_pgsql/pgsql ): *** Purging cache - END (PID: 4148, QN: 0/0, ET: X) ***
^C( default_pgsql/pgsql ) *** Purging queries queue ***
INFO ( default_pgsql/pgsql ): *** Purging cache - START (PID: 4125) ***
INFO ( default_pgsql/pgsql ): *** Purging cache - END (PID: 4125, QN: 0/0, ET: X) ***
INFO ( default/core ): OK, Exiting ...

Looks ok to but database is empty :

uacctd=> select * from acct;
 mac_src | mac_dst | ip_src | ip_dst | port_src | port_dst | ip_proto | packets | bytes | stamp_inserted | stamp_updated | timestamp_start 
---------+---------+--------+--------+----------+----------+----------+---------+-------+----------------+---------------+-----------------
(0 rows)

uacctd -V:

Linux NetFilter NFLOG Accounting Daemon, uacctd 1.7.7-git [RELEASE]

Arguments:
 '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=${prefix}/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' '--with-pgsql-includes=/usr/include/postgresql' '--enable-l2' '--enable-ipv6' '--enable-plabel' '--enable-mysql' '--enable-pgsql' '--enable-sqlite3' '--enable-rabbitmq' '--enable-zmq' '--enable-kafka' '--enable-geoipv2' '--enable-jansson' '--enable-64bit' '--enable-threads' '--enable-traffic-bins' '--enable-bgp-bins' '--enable-bmp-bins' '--enable-st-bins' '--enable-nflog' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-fcommon' 'LDFLAGS=-Wl,-z,relro' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -ffile-prefix-map=/build/pmacct-Gh56jN/pmacct-1.7.7=. -fstack-protector-strong -Wformat -Werror=format-security'

Why nothing is store into database ? Where to find errors ?

PS. This is nfacctd.conf :

#daemonize: true
pidfile: /var/run/nfacctd.pid
syslog: daemon
nfacctd_port: 9995
!
! interested in in and outbound traffic
aggregate: src_host, dst_host , src_port, dst_port, proto,timestamp_start
!
! storage methods
plugins: pgsql
sql_host: 192.168.0.234
sql_passwd: *****
sql_table_version: 1

sql_refresh_time: 300
timestamps_secs: true
sql_history: 5m
sql_history_roundoff: m
sql_dont_try_update: true

Its log to this same server but different database and works like a charm. So sql mus be ok.

[paololucente]

Hi @pzelektron , in the log output above QN: 0/0 means that the plugin is trying to write zero tuples to the database -- so it is expected the DB to be empty because uacctd is not writing any tuples into it. We should make sure that uacctd is actually receiving traffic: what do you see if you run a tcpdump -s 0 -n -i nflog:5 ? Paolo

[pzelektron]

Thanks for help this :
tcpdump -s 0 -n -i nflog:5
was very helpful.
It shows my mistake in iptables. I used:
iptables -I FORWARD ! -i eth0 -m state --state NEW -p tcp -j NFLOG --nflog-prefix 5
but it should be :
iptables -I FORWARD ! -i eth0 -m state --state NEW -p tcp -j NFLOG --nflog-group 5
Now everything works great.
Thanks again.

[paololucente]

Amazing, thanks for confirming! Paolo

[pzelektron]

I work for ISP we must to log traffic from our customers.
I tried to use pmacct but i/o was very high on postgres server. 8 cores CPU and load over 80%.
After switching on nfacctd load drop to 1%