[collectd] Looking for a way to collect ICMP traffic data
Steve Wray
steve at wtfast.com
Fri Oct 21 16:18:10 CEST 2016
We are doing something else with iptables logging which feeds into another
system. Turning on this level of ICMP logging would break that, I tried it
briefly.
On Fri, Oct 21, 2016 at 6:11 AM, Lee Hardy <lee at leeh.uk> wrote:
> Have you considered doing this through the iptables plugin?
>
> If you have a series of iptables rules for ICMP and you mark them with
> comments (e.g. if your rules were something like: iptables -A INPUT -p icmp
> -s 0/0 -d 0/0 --icmp-type 8 -m comment --comment ICMP-PING), you could then
> use the iptables collectd plugin to match on the comment "ICMP-PING" and
> get the stats that way?
>
> Cheers,
> Lee H
>
> On 20 October 2016 at 20:27, Steve Wray <steve at wtfast.com> wrote:
>
>> I've been trying this out but had limited success.
>>
>> At first I had a configuration like this:
>>
>> <Plugin "tail">
>> <File "/var/log/icmpinfo/icmpinfo.log">
>> Instance "icmpinfo"
>> <Match>
>> Regex "ICMP_Echo"
>> DSType "CounterInc"
>> Type "counter"
>> Instance "ICMP_Echo"
>> </Match>
>> </File>
>> </Plugin>
>>
>> but I started to find that the values were going off the charts over
>> time; it started off looking good but after a few days the values were in
>> the quadrillions and clearly wrong.
>>
>> I saw this example:
>>
>> <File "/var/log/nginx/nginx-error.log">
>> Instance "nginx"
>> <Match>
>> Regex "\\(61: Connection refused\\)"
>> DSType "DeriveInc"
>> Type "derive"
>> Instance "err_502"
>> </Match>
>> <Match>
>> Regex "\\(60: Operation timed out\\)"
>> DSType "DeriveInc"
>> Type "derive"
>> Instance "err_504"
>> </Match>
>> </File>
>>
>> and based a config on this as so:
>>
>> <Plugin "tail">
>> <File "/var/log/icmpinfo/icmpinfo.log">
>> Instance "icmpinfo"
>> <Match>
>> Regex "ICMP_Echo"
>> DSType "DeriveInc"
>> Type "derive"
>> Instance "ICMP_Echo"
>> </Match>
>> </File>
>> </Plugin>
>>
>> but this isn't producing any data at all!
>>
>> Could you share your collectd config?
>>
>> Thanks!
>>
>>
>> On Thu, Oct 13, 2016 at 11:25 AM, Eric Horst <erich at uw.edu> wrote:
>>
>>> I run icmpinfo as a daemon to syslog icmp statistics periodically
>>> where they are more easily picked up for metrics and attacks. Glancing
>>> at the source it seems that I modified it to only log messages that I
>>> care about. I also see that I made the mods in August of 1999 so not
>>> surprising it isn't fresh in my mind. The modified icmpinfo still
>>> works great after all these years.
>>>
>>> -Eric
>>>
>>> On Thu, Oct 13, 2016 at 10:20 AM, Steve Wray <steve at wtfast.com> wrote:
>>> > Hi,
>>> > I'm currently getting several system statistics via collectd and
>>> feeding
>>> > this into graphite/grafana.
>>> >
>>> > I have a need to collect and graph data on ICMP traffic specifically.
>>> >
>>> > Can anyone suggest a way to do this (in Linux)?
>>> >
>>> > Thanks
>>> >
>>> >
>>> > _______________________________________________
>>> > collectd mailing list
>>> > collectd at verplant.org
>>> > https://mailman.verplant.org/listinfo/collectd
>>>
>>
>>
>> _______________________________________________
>> collectd mailing list
>> collectd at verplant.org
>> https://mailman.verplant.org/listinfo/collectd
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.verplant.org/pipermail/collectd/attachments/20161021/5e27e5c6/attachment-0001.html>
More information about the collectd
mailing list