iptables stats: question

[pistole]

Hello,

my first post here so please be gentle

I have a Linux/iptables firewall with some rules in the forward chain to monitor bandwith usage of several servers/services.
I'd like to use the iptables counters to get traffic stats into Cacti.

To accomplish this, I did the following:
-create a shell script that accepts parameters (ip address, port and protocol), retrieves the correct rule from iptables' output, returns the data, and finally resets the relevant rules (reset the counters)
-create a Data Input Method that invokes the shell script
-create a Data Template to accept the data
-create a Graph Template to display the data

Now everything works quite nicely: data is correctly fetched from the firewall, is correctly added to an RRA, and a graph is show. The content of the graph however is incorrect... When I download the data from the RRA it looks correct, but the graph ('Inbound') shows numbers that are way to high!

Sample graph: fw.png

Relevant data (download from RRA and applied calculations for bandwith usage): rra.png

Can anyone help me to resolve this issue? If more information is required, please ask

[fmangeant]

Moving to "Help: General" per user request.

[gandalf]

Please provide both
- data source definition (from Data Sources, DEBUG)
- graph definition (from Graph Management, DEBUG)
Reinhard

[pistole]

Graph:

Code: Select all

RRDTool Command:

/usr/bin/rrdtool graph - \
--imgformat=PNG \
--start=-86400 \
--end=-60 \
--title="xxxxxxxxxxxxxxxxx" \
--base=1000 \
--height=160 \
--width=500 \
--alt-autoscale-max \
--lower-limit=0 \
--vertical-label="bits per second" \
--slope-mode \
--font TITLE:10: \
--font AXIS:8: \
--font LEGEND:8: \
--font UNIT:8: \
DEF:a="/usr/share/cacti/rra/pief_out_66.rrd":in:AVERAGE \
DEF:b="/usr/share/cacti/rra/pief_out_66.rrd":in:MAX \
DEF:c="/usr/share/cacti/rra/pief_out_66.rrd":out:AVERAGE \
DEF:d="/usr/share/cacti/rra/pief_out_66.rrd":out:MAX \
CDEF:cdefa=a,8,* \
CDEF:cdefd=b,8,* \
CDEF:cdefe=c,8,* \
CDEF:cdefh=d,8,* \
AREA:cdefa#00CF00FF:"Inbound"  \
GPRINT:cdefa:LAST:" Current%8.2lf %s"  \
GPRINT:cdefa:AVERAGE:"Average%8.2lf %s"  \
GPRINT:cdefd:MAX:"Maximum%8.2lf %s\n"  \
LINE1:cdefe#002A97FF:"Outbound"  \
GPRINT:cdefe:LAST:"Current%8.2lf %s"  \
GPRINT:cdefe:AVERAGE:"Average%8.2lf %s"  \
GPRINT:cdefh:MAX:"Maximum%8.2lf %s\n"  \
COMMENT:"\n"  \
HRULE:819590855.68#FF0000FF:""  \
COMMENT:"(819.59 mbit in+out)" 
RRDTool Says:

OK

DS:

Code: Select all

Data Source Debug

/usr/bin/rrdtool create \
/usr/share/cacti/rra/pief_out_66.rrd \
--step 60  \
DS:out:GAUGE:60:0:U \
DS:in:GAUGE:60:0:U \
RRA:AVERAGE:0.5:1:500 \
RRA:AVERAGE:0.5:1:600 \
RRA:AVERAGE:0.5:6:700 \
RRA:AVERAGE:0.5:24:775 \
RRA:AVERAGE:0.5:288:797 \
RRA:MAX:0.5:1:500 \
RRA:MAX:0.5:1:600 \
RRA:MAX:0.5:6:700 \
RRA:MAX:0.5:24:775 \
RRA:MAX:0.5:288:797 \

[gandalf]

Data Source Debug

/usr/bin/rrdtool create \
/usr/share/cacti/rra/pief_out_66.rrd \
--step 60 \
DS:out:GAUGE:60:0:U \
DS:in:GAUGE:60:0:U \
RRA:AVERAGE:0.5:1:500 \
RRA:AVERAGE:0.5:1:600 \
RRA:AVERAGE:0.5:6:700 \
RRA:AVERAGE:0.5:24:775 \
RRA:AVERAGE:0.5:288:797 \
RRA:MAX:0.5:1:500 \
RRA:MAX:0.5:1:600 \
RRA:MAX:0.5:6:700 \
RRA:MAX:0.5:24:775 \
RRA:MAX:0.5:288:797 \
[/code]

You are definitively running a broken rra definition. This is due to an imcomplete implementation of 1 Minute polling. But

Code: Select all

RRA:AVERAGE:0.5:1:500 \
RRA:AVERAGE:0.5:1:600 \

is incorrect. This was already discussed on this forum some weeks ago. It's not easy to configure it properly with cacti087a. It will be fully supported not earlier than 088. Please google for the 087(a) 1 min polling thread to find some hints how to get it up and running. Be aware that this will require advanced knowledge of Cacti and RRDTool
Reinhard

[pistole]

Reinhard,

thanks for your replies; I'll dive into the 1 minute interval problem. In the meantime I'll try using only 5 minute intervals (and hope that my counters won't overflow).

Danke sehr!