Script for analize Cisco "ip accounting" output

Templates, scripts for templates, scripts and requests for templates.

Moderators: Moderators, Developers

Post Reply
Author
Message
Denter
Posts: 5
Joined: Wed Apr 23, 2003 10:01 am
Location: Kiev, Ukraine
Contact:

Script for analize Cisco "ip accounting" output

#1 Post by Denter » Fri Apr 25, 2003 9:13 am

Hello all!
(and sorry for my english)
I found a cacti very usefool tool, but I needed an ability to get from my 2620XM data about using inet links by some users. I heard about NetFlow, but also I heard, that it calculate input data, while I need info about output (I use a NAT on my Cisco, so... you undestood :-? ). So I need to analize data, which I get from Cisco throw rsh. So I ask my friend Dmytry to write for me some seample script on perl. He did it yersterday, I tested it, found some bugs, he fixed it today and... I like what we get :wink:

What does this script for? I have a Cisco (2620XM+2950). I have few local segment on few interfaces, few server's (mail, proxy, etc.) on other few interfaces and few inet links on... you understood :wink: . Most users use Internet throw proxy server where squid have everything under control. But some users have direct access to internet using NAT on Cisco. And this (!) is realy interesting for me as SysAdmin.
So.
First: when I analize output of "ip accounting" on internal network interfave I have to ignore some source IP's (or network), which are NOT from Internet.
Second: I need to calculate summary of bytes in the rest of rowses for destination IP (or network) and output this summary (and summary of packets).
Of course for all this I need to get a data to my local server and update it every... If cmd.php runs every */5 minutes, so I update my file with "ip account" data every 4,9,14,19... you... :wink: and so on...

Ok. Here it is:

Code: Select all

#!/usr/bin/perl
#
# Cisco accounting analizer
#
# Made by Dmitry Doroshkov on Denis Terebiy request
# 
# Usage:
# perl acc.pl [-f<acc_file_name>] [-e<exlc_ip_list>] [-i<incl_ip_list>]
#
# Keys:
# -f  file_name (default file_name is /var/log/account.txt from current folder);
# Use file in format of cisco "show ip accounting" command
# ____
#    Source           Destination              Packets               Bytes
#    207.46.134.190   192.168.1.190                    9                3328
#    195.245.253.2    192.168.1.177                  937              986714
# ....
#    195.245.253.2    192.168.2.93                   382              180789
#    195.245.253.2    192.168.2.92                  1026              403110
#
#    Accounting data age is 44
# ____
# -e  comma "," delimited exclude Source IP list
# -i  comma "," delimited include Destination IP list;
# There are some rules with this list - you can (and should) use special simbols
# when define IP or mask:
# 192.168.2.1 - that is also and 192.168.2.10 - 192.168.2.19
# so you have to mark last octet with "$" simbol - 192.168.2.1$
# 192.168.2 - that is not only 192.168.2.XXX, but also
# 192.168.2YY.XXX so, if you need just 192.168.2.XXX you should mark ends of
# first, second and third octets with "." simbol - 192.168.2.
# And last - you can use "*" simbol inside address and remember:
# 192.*.1$ means 192.XXX.YYY.1, but
# 192.*.1  also means 192.XXX.1.YYY and 192.XXX.YYY.1ZZ
#
# Examples:
# perl acc.pl -f account.txt -e 192.168.,127.0.0.1$
# perl acc.pl -faccount.txt -e192.168.,127.0.0.1$ -i192.168.1.190$,192.168.1.191$
#
# Output format:
# <sum_packets>:<sum_bytes>
#
# What does it means? Summary of packets and bytes for "Included" destination IP's
# (or few IP's, or some network - see examples), exept rows with "Excluded"
# source IP (or few ... you know :o)
#
# How can you create the source file?
# See: http://www.opennet.ru/tips/sml/4.shtml
# What? You do not undestood Russian? Thats bad.
#
# Where can you use this? I requested Dmitry to create this script for using with
# http://www.raxnet.net/products/cacti/ - Powerfool RRD frontend
# So I can see how my special users with direct Internet access load my (I like to
# think that they are mine ;o) Internet channels.
#

use strict;
use Getopt::Std;

our($opt_e, $opt_i, $opt_f);
my ($src, $dest, $packets, $bytes);
my $p_sum = 0;
my $b_sum = 0;

getopts('e:i:f:');

$opt_f = '/var/log/account.txt' unless defined($opt_f);
$opt_e = '$' unless defined($opt_e);

$opt_e =~ s/,/|^/g;
$opt_e =~ s/\./\\./g;
$opt_e =~ s/\*/.*/g;
$opt_e =~ s/^/^$1/;

$opt_i =~ s/,/|^/g;
$opt_i =~ s/\./\\./g;
$opt_i =~ s/\*/.*/g;
$opt_i =~ s/^/^$1/;

open F,"$opt_f" || die "Can't open file $opt_f, $!";
while (<F>) {
  chomp;
  s/^\s+//;
  if (/^\d/) {
    ($src, $dest, $packets, $bytes) = m/(\S+)/g;
    unless ($src =~ /$opt_e/) {
      if ($dest =~ /$opt_i/) {
#        You can uncomment next line to see the lines included to result
#        print "Source=>$src, Destination=>$dest, Packets=>$packets, Bytes=>$bytes\n";
        $p_sum += $packets;
        $b_sum += $bytes;
      }
    }
  }
}

close (F);
print "$p_sum:$b_sum";
And that's all!
Here is some hints on creating file, which we parsing for data:

1) On Cisco

Code: Select all

c2620XM(config)#inter fa0/0.9
c2620XM(config-subif)#ip accounting output-packets

c2620XM(config)# ip rcmd remote-host <cisco_user> <server_ip> <server_cron_user> enable
2) On server

Crontab:

Code: Select all

4,9,14,19,24,29,34,39,44,49,54,59 * * * * <server_cron_user> /usr/local/scripts/cisco.sh
cisco.sh:

Code: Select all

#!/bin/sh
/usr/bin/rsh -l <cisco_user> <cisco_ip> clear ip accounting checkpoint>\dev\null
/usr/bin/rsh -l <cisco_user> <cisco_ip> clear ip accounting>\dev\null
/usr/bin/rsh -l <cisco_user> <cisco_ip> sh ip accounting checkpoint>/var/log/account.txt
And that's realy all. Any comments, ideas and spellchecks :wink: will be wellcome.

oharel
Cacti User
Posts: 84
Joined: Wed Jan 07, 2004 11:16 am

IP Accounting intergration

#2 Post by oharel » Thu Jun 17, 2004 2:57 am

Hi Denter,

thanks for the scripts. however, i am encountering some problems:
how exactly do i implement it in Cacti?
what did you do and define in Cacti itself for it to work?

thanks
harel

Denter
Posts: 5
Joined: Wed Apr 23, 2003 10:01 am
Location: Kiev, Ukraine
Contact:

Ops... You had to use some more personal way to ask me :o\

#3 Post by Denter » Thu Dec 09, 2004 8:18 am

Ok.

1)Create the "Data Input Method"
Name: Cisco accounting
Input Type: Script/Command
Input String: perl <path_cacti>/scripts/acc.pl -f<acc_file> -e<excl_source> -i<incl_dest>
(<path_cacti>/scripts/acc.pl - script from first message)

Input Fields
Name Field Order Friendly Name
acc_file 1 Accounting log file
excl_source 2 Ecscluded sourse IP
incl_dest 3 Included destination IP's

Output Fields Add
Name Field Order Friendly Name Update RRA
bytes 1 Summary bytes Selected Delete

2)Create the "Data Template" (Import my template and correct fields)

3) Create a Data sources for an each host you want to monitor, using the template.

4) Add new data sources to your graphs

Good luck.
Attachments
cacti_data_template_incoming_traffic.xml
Data source template
(4.5 KiB) Downloaded 1955 times

ariela
Posts: 17
Joined: Thu Feb 19, 2004 12:24 pm

#4 Post by ariela » Thu Jan 13, 2005 5:05 am

Great!
Thanks for the script.
Just a question. In my log I see always the same source (correct, I use NAPT with only 1 public IP) and different destination ... how could I graph per destination? If I well understand, this script only make visible the SUM, the total, but not per destination.

That's possible? Advices?

Thanks for your support
Regards
Andrea

ariela
Posts: 17
Joined: Thu Feb 19, 2004 12:24 pm

Re: Ops... You had to use some more personal way to ask me :

#5 Post by ariela » Thu Jan 13, 2005 8:35 am

Denter wrote: 4) Add new data sources to your graphs
Hem, wich type of "graph items" I've to create?
Could you help me?

Thanks for your support
Regards
Andrea

Denter
Posts: 5
Joined: Wed Apr 23, 2003 10:01 am
Location: Kiev, Ukraine
Contact:

And here we are :o)

#6 Post by Denter » Sun Jul 24, 2005 10:37 pm

Yeah... I have a good reaction, do I? :-?

Ok.

First, about this section
# How can you create the source file?
# See: http://www.opennet.ru/tips/sml/4.shtml
# What? You do not undestood Russian? Thats bad.

There is no normal description any more, so here is mine:

On cisco device you have to enable rsh access from monitoring server:
ip rcmd rsh-enable
ip rcmd remote-host <Local username> <Server IP> <Remote username> enable


Local username - user with access to cisco device.
Remote username - user, which run remote comand on the server (probably "root" from cron)

On the server request script can looks like:
/usr/bin/rsh -l <cisco username> <cisco IP> clear ip accounting checkpoint>\dev\null
/usr/bin/rsh -l <cisco username> <cisco IP> clear ip accounting>\dev\null
/usr/bin/rsh -l <cisco username> <cisco IP> sh ip accounting checkpoint>/var/log/account.txt


<Local username> must be the same as <cisco username>



Now questions:
In my log I see always the same source (correct, I use NAPT with only 1 public IP) and different destination ... how could I graph per destination?
In this script I calculate SUM exactly for different destinations. So you just need to know IP's of destination, for which you need a graph. Source IP can be only excluded (when need) from calculation.
I use it for internal IP's, but I have no idea, how you can use it for external destinations...
Hem, wich type of "graph items" I've to create?
Heh... :wink: There is an exelent graph template, named "none".

I attached few images, which can help you to make a graph and to see, what you can get.

I do not check regulary this forum and this discution - so feel free to use an ICQ contact from my profile. I'm usualy in invisible mode, so don't wait for my "appearing online" :wink:
Attachments
Pic1.JPG
Fields settings variant.
Pic1.JPG (73.96 KiB) Viewed 35946 times
pic2.gif
Resulting graph
pic2.gif (96.33 KiB) Viewed 35946 times
pic3.JPG
Data source
pic3.JPG (48.13 KiB) Viewed 35946 times

Post Reply