<div dir="ltr"><div class="gmail_default" style="font-family:monospace,monospace">We are doing something else with iptables logging which feeds into another system. Turning on this level of ICMP logging would break that, I tried it briefly.</div><div class="gmail_default" style="font-family:monospace,monospace"><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct 21, 2016 at 6:11 AM, Lee Hardy <span dir="ltr"><<a href="mailto:lee@leeh.uk" target="_blank">lee@leeh.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Have you considered doing this through the iptables plugin? <div><br></div><div>If you have a series of iptables rules for ICMP and you mark them with comments (e.g. if your rules were something like: iptables -A INPUT -p icmp -s 0/0 -d 0/0 --icmp-type 8 -m comment --comment ICMP-PING), you could then use the iptables collectd plugin to match on the comment "ICMP-PING" and get the stats that way?<div><br></div><div>Cheers,</div><div>Lee H</div></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On 20 October 2016 at 20:27, Steve Wray <span dir="ltr"><<a href="mailto:steve@wtfast.com" target="_blank">steve@wtfast.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-family:monospace,monospace">I've been trying this out but had limited success.</div><div class="gmail_default" style="font-family:monospace,monospace"><br></div><div class="gmail_default" style="font-family:monospace,monospace">At first I had a configuration like this:</div><div class="gmail_default" style="font-family:monospace,monospace"><br></div><div class="gmail_default"><div class="gmail_default" style="font-family:monospace,monospace"><Plugin "tail"></div><div class="gmail_default" style="font-family:monospace,monospace"> <File "/var/log/icmpinfo/icmpinfo.lo<wbr>g"></div><div class="gmail_default" style="font-family:monospace,monospace"> Instance "icmpinfo"</div><div class="gmail_default" style="font-family:monospace,monospace"> <Match></div><div class="gmail_default" style="font-family:monospace,monospace"> Regex "ICMP_Echo"</div><div class="gmail_default" style="font-family:monospace,monospace"> DSType "CounterInc"</div><div class="gmail_default" style="font-family:monospace,monospace"> Type "counter"</div><div class="gmail_default" style="font-family:monospace,monospace"> Instance "ICMP_Echo"</div><div class="gmail_default" style="font-family:monospace,monospace"> </Match></div><div class="gmail_default" style="font-family:monospace,monospace"> </File></div><div class="gmail_default" style="font-family:monospace,monospace"></Plugin></div><div style="font-family:monospace,monospace"><br></div><div style="font-family:monospace,monospace">but I started to find that the values were going off the charts over time; it started off looking good but after a few days the values were in the quadrillions and clearly wrong.</div><div style="font-family:monospace,monospace"><br></div><div style="font-family:monospace,monospace">I saw this example:</div><div style="font-family:monospace,monospace"><br></div><div><div><font face="monospace, monospace"><File "/var/log/nginx/nginx-error.lo<wbr>g"></font></div><div><font face="monospace, monospace"> Instance "nginx"</font></div><div><font face="monospace, monospace"> <Match></font></div><div><font face="monospace, monospace"> Regex "\\(61: Connection refused\\)"</font></div><div><font face="monospace, monospace"> DSType "DeriveInc"</font></div><div><font face="monospace, monospace"> Type "derive"</font></div><div><font face="monospace, monospace"> Instance "err_502"</font></div><div><font face="monospace, monospace"> </Match></font></div><div><font face="monospace, monospace"> <Match></font></div><div><font face="monospace, monospace"> Regex "\\(60: Operation timed out\\)"</font></div><div><font face="monospace, monospace"> DSType "DeriveInc"</font></div><div><font face="monospace, monospace"> Type "derive"</font></div><div><font face="monospace, monospace"> Instance "err_504"</font></div><div><font face="monospace, monospace"> </Match></font></div><div><font face="monospace, monospace"></File></font></div></div><div><br></div><div><font face="monospace, monospace">and based a config on this as so:</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><div><Plugin "tail"></div><div> <File "/var/log/icmpinfo/icmpinfo.lo<wbr>g"></div><div> Instance "icmpinfo"</div><div> <Match></div><div> Regex "ICMP_Echo"</div><div> DSType "DeriveInc"</div><div> Type "derive"</div><div> Instance "ICMP_Echo"</div><div> </Match></div><div> </File></div><div></Plugin></div><div><br></div><div>but this isn't producing any data at all!</div><div><br></div><div>Could you share your collectd config?</div><div><br></div><div>Thanks!</div><div><br></div></font></div></div></div><div class="m_6814661369981066674HOEnZb"><div class="m_6814661369981066674h5"><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 13, 2016 at 11:25 AM, Eric Horst <span dir="ltr"><<a href="mailto:erich@uw.edu" target="_blank">erich@uw.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I run icmpinfo as a daemon to syslog icmp statistics periodically<br>
where they are more easily picked up for metrics and attacks. Glancing<br>
at the source it seems that I modified it to only log messages that I<br>
care about. I also see that I made the mods in August of 1999 so not<br>
surprising it isn't fresh in my mind. The modified icmpinfo still<br>
works great after all these years.<br>
<br>
-Eric<br>
<div><div class="m_6814661369981066674m_-2085160969642904354h5"><br>
On Thu, Oct 13, 2016 at 10:20 AM, Steve Wray <<a href="mailto:steve@wtfast.com" target="_blank">steve@wtfast.com</a>> wrote:<br>
> Hi,<br>
> I'm currently getting several system statistics via collectd and feeding<br>
> this into graphite/grafana.<br>
><br>
> I have a need to collect and graph data on ICMP traffic specifically.<br>
><br>
> Can anyone suggest a way to do this (in Linux)?<br>
><br>
> Thanks<br>
><br>
><br>
</div></div>> ______________________________<wbr>_________________<br>
> collectd mailing list<br>
> <a href="mailto:collectd@verplant.org" target="_blank">collectd@verplant.org</a><br>
> <a href="https://mailman.verplant.org/listinfo/collectd" rel="noreferrer" target="_blank">https://mailman.verplant.org/l<wbr>istinfo/collectd</a><br>
</blockquote></div><br></div>
</div></div><br>______________________________<wbr>_________________<br>
collectd mailing list<br>
<a href="mailto:collectd@verplant.org" target="_blank">collectd@verplant.org</a><br>
<a href="https://mailman.verplant.org/listinfo/collectd" rel="noreferrer" target="_blank">https://mailman.verplant.org/l<wbr>istinfo/collectd</a><br></blockquote></div><br></div>
</div></div></blockquote></div><br></div>