Cacti (home)ForumsDocumentation
Cacti: offical forums and support
It is currently Wed May 22, 2019 1:54 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 6 posts ] 
Author Message
 Post subject: Script for analize Cisco "ip accounting" output
PostPosted: Fri Apr 25, 2003 9:13 am 
Offline

Joined: Wed Apr 23, 2003 10:01 am
Posts: 5
Location: Kiev, Ukraine
Hello all!
(and sorry for my english)
I found a cacti very usefool tool, but I needed an ability to get from my 2620XM data about using inet links by some users. I heard about NetFlow, but also I heard, that it calculate input data, while I need info about output (I use a NAT on my Cisco, so... you undestood :-? ). So I need to analize data, which I get from Cisco throw rsh. So I ask my friend Dmytry to write for me some seample script on perl. He did it yersterday, I tested it, found some bugs, he fixed it today and... I like what we get :wink:

What does this script for? I have a Cisco (2620XM+2950). I have few local segment on few interfaces, few server's (mail, proxy, etc.) on other few interfaces and few inet links on... you understood :wink: . Most users use Internet throw proxy server where squid have everything under control. But some users have direct access to internet using NAT on Cisco. And this (!) is realy interesting for me as SysAdmin.
So.
First: when I analize output of "ip accounting" on internal network interfave I have to ignore some source IP's (or network), which are NOT from Internet.
Second: I need to calculate summary of bytes in the rest of rowses for destination IP (or network) and output this summary (and summary of packets).
Of course for all this I need to get a data to my local server and update it every... If cmd.php runs every */5 minutes, so I update my file with "ip account" data every 4,9,14,19... you... :wink: and so on...

Ok. Here it is:

Code:
#!/usr/bin/perl
#
# Cisco accounting analizer
#
# Made by Dmitry Doroshkov on Denis Terebiy request
#
# Usage:
# perl acc.pl [-f<acc_file_name>] [-e<exlc_ip_list>] [-i<incl_ip_list>]
#
# Keys:
# -f  file_name (default file_name is /var/log/account.txt from current folder);
# Use file in format of cisco "show ip accounting" command
# ____
#    Source           Destination              Packets               Bytes
#    207.46.134.190   192.168.1.190                    9                3328
#    195.245.253.2    192.168.1.177                  937              986714
# ....
#    195.245.253.2    192.168.2.93                   382              180789
#    195.245.253.2    192.168.2.92                  1026              403110
#
#    Accounting data age is 44
# ____
# -e  comma "," delimited exclude Source IP list
# -i  comma "," delimited include Destination IP list;
# There are some rules with this list - you can (and should) use special simbols
# when define IP or mask:
# 192.168.2.1 - that is also and 192.168.2.10 - 192.168.2.19
# so you have to mark last octet with "$" simbol - 192.168.2.1$
# 192.168.2 - that is not only 192.168.2.XXX, but also
# 192.168.2YY.XXX so, if you need just 192.168.2.XXX you should mark ends of
# first, second and third octets with "." simbol - 192.168.2.
# And last - you can use "*" simbol inside address and remember:
# 192.*.1$ means 192.XXX.YYY.1, but
# 192.*.1  also means 192.XXX.1.YYY and 192.XXX.YYY.1ZZ
#
# Examples:
# perl acc.pl -f account.txt -e 192.168.,127.0.0.1$
# perl acc.pl -faccount.txt -e192.168.,127.0.0.1$ -i192.168.1.190$,192.168.1.191$
#
# Output format:
# <sum_packets>:<sum_bytes>
#
# What does it means? Summary of packets and bytes for "Included" destination IP's
# (or few IP's, or some network - see examples), exept rows with "Excluded"
# source IP (or few ... you know :o)
#
# How can you create the source file?
# See: http://www.opennet.ru/tips/sml/4.shtml
# What? You do not undestood Russian? Thats bad.
#
# Where can you use this? I requested Dmitry to create this script for using with
# http://www.raxnet.net/products/cacti/ - Powerfool RRD frontend
# So I can see how my special users with direct Internet access load my (I like to
# think that they are mine ;o) Internet channels.
#

use strict;
use Getopt::Std;

our($opt_e, $opt_i, $opt_f);
my ($src, $dest, $packets, $bytes);
my $p_sum = 0;
my $b_sum = 0;

getopts('e:i:f:');

$opt_f = '/var/log/account.txt' unless defined($opt_f);
$opt_e = '$' unless defined($opt_e);

$opt_e =~ s/,/|^/g;
$opt_e =~ s/\./\\./g;
$opt_e =~ s/\*/.*/g;
$opt_e =~ s/^/^$1/;

$opt_i =~ s/,/|^/g;
$opt_i =~ s/\./\\./g;
$opt_i =~ s/\*/.*/g;
$opt_i =~ s/^/^$1/;

open F,"$opt_f" || die "Can't open file $opt_f, $!";
while (<F>) {
  chomp;
  s/^\s+//;
  if (/^\d/) {
    ($src, $dest, $packets, $bytes) = m/(\S+)/g;
    unless ($src =~ /$opt_e/) {
      if ($dest =~ /$opt_i/) {
#        You can uncomment next line to see the lines included to result
#        print "Source=>$src, Destination=>$dest, Packets=>$packets, Bytes=>$bytes\n";
        $p_sum += $packets;
        $b_sum += $bytes;
      }
    }
  }
}

close (F);
print "$p_sum:$b_sum";


And that's all!
Here is some hints on creating file, which we parsing for data:

1) On Cisco
Code:
c2620XM(config)#inter fa0/0.9
c2620XM(config-subif)#ip accounting output-packets

c2620XM(config)# ip rcmd remote-host <cisco_user> <server_ip> <server_cron_user> enable


2) On server

Crontab:
Code:
4,9,14,19,24,29,34,39,44,49,54,59 * * * * <server_cron_user> /usr/local/scripts/cisco.sh

cisco.sh:
Code:
#!/bin/sh
/usr/bin/rsh -l <cisco_user> <cisco_ip> clear ip accounting checkpoint>\dev\null
/usr/bin/rsh -l <cisco_user> <cisco_ip> clear ip accounting>\dev\null
/usr/bin/rsh -l <cisco_user> <cisco_ip> sh ip accounting checkpoint>/var/log/account.txt


And that's realy all. Any comments, ideas and spellchecks :wink: will be wellcome.


Top
 Profile  
 
 Post subject: IP Accounting intergration
PostPosted: Thu Jun 17, 2004 2:57 am 
Offline
Cacti User

Joined: Wed Jan 07, 2004 11:16 am
Posts: 84
Hi Denter,

thanks for the scripts. however, i am encountering some problems:
how exactly do i implement it in Cacti?
what did you do and define in Cacti itself for it to work?

thanks
harel


Top
 Profile  
 
 Post subject: Ops... You had to use some more personal way to ask me :o\
PostPosted: Thu Dec 09, 2004 8:18 am 
Offline

Joined: Wed Apr 23, 2003 10:01 am
Posts: 5
Location: Kiev, Ukraine
Ok.

1)Create the "Data Input Method"
Name: Cisco accounting
Input Type: Script/Command
Input String: perl <path_cacti>/scripts/acc.pl -f<acc_file> -e<excl_source> -i<incl_dest>
(<path_cacti>/scripts/acc.pl - script from first message)

Input Fields
Name Field Order Friendly Name
acc_file 1 Accounting log file
excl_source 2 Ecscluded sourse IP
incl_dest 3 Included destination IP's

Output Fields Add
Name Field Order Friendly Name Update RRA
bytes 1 Summary bytes Selected Delete

2)Create the "Data Template" (Import my template and correct fields)

3) Create a Data sources for an each host you want to monitor, using the template.

4) Add new data sources to your graphs

Good luck.


Attachments:
File comment: Data source template
cacti_data_template_incoming_traffic.xml [4.5 KiB]
Downloaded 1854 times
Top
 Profile  
 
 Post subject:
PostPosted: Thu Jan 13, 2005 5:05 am 
Offline

Joined: Thu Feb 19, 2004 12:24 pm
Posts: 17
Great!
Thanks for the script.
Just a question. In my log I see always the same source (correct, I use NAPT with only 1 public IP) and different destination ... how could I graph per destination? If I well understand, this script only make visible the SUM, the total, but not per destination.

That's possible? Advices?

Thanks for your support
Regards
Andrea


Top
 Profile  
 
 Post subject: Re: Ops... You had to use some more personal way to ask me :
PostPosted: Thu Jan 13, 2005 8:35 am 
Offline

Joined: Thu Feb 19, 2004 12:24 pm
Posts: 17
Denter wrote:
4) Add new data sources to your graphs


Hem, wich type of "graph items" I've to create?
Could you help me?

Thanks for your support
Regards
Andrea


Top
 Profile  
 
 Post subject: And here we are :o)
PostPosted: Sun Jul 24, 2005 10:37 pm 
Offline

Joined: Wed Apr 23, 2003 10:01 am
Posts: 5
Location: Kiev, Ukraine
Yeah... I have a good reaction, do I? :-?

Ok.

First, about this section
# How can you create the source file?
# See: http://www.opennet.ru/tips/sml/4.shtml
# What? You do not undestood Russian? Thats bad.

There is no normal description any more, so here is mine:

On cisco device you have to enable rsh access from monitoring server:
ip rcmd rsh-enable
ip rcmd remote-host <Local username> <Server IP> <Remote username> enable


Local username - user with access to cisco device.
Remote username - user, which run remote comand on the server (probably "root" from cron)

On the server request script can looks like:
/usr/bin/rsh -l <cisco username> <cisco IP> clear ip accounting checkpoint>\dev\null
/usr/bin/rsh -l <cisco username> <cisco IP> clear ip accounting>\dev\null
/usr/bin/rsh -l <cisco username> <cisco IP> sh ip accounting checkpoint>/var/log/account.txt


<Local username> must be the same as <cisco username>



Now questions:
Quote:
In my log I see always the same source (correct, I use NAPT with only 1 public IP) and different destination ... how could I graph per destination?


In this script I calculate SUM exactly for different destinations. So you just need to know IP's of destination, for which you need a graph. Source IP can be only excluded (when need) from calculation.
I use it for internal IP's, but I have no idea, how you can use it for external destinations...

Quote:
Hem, wich type of "graph items" I've to create?

Heh... :wink: There is an exelent graph template, named "none".

I attached few images, which can help you to make a graph and to see, what you can get.

I do not check regulary this forum and this discution - so feel free to use an ICQ contact from my profile. I'm usualy in invisible mode, so don't wait for my "appearing online" :wink:


Attachments:
File comment: Data source
pic3.JPG
pic3.JPG [ 48.13 KiB | Viewed 35745 times ]
File comment: Resulting graph
pic2.gif
pic2.gif [ 96.33 KiB | Viewed 35745 times ]
File comment: Fields settings variant.
Pic1.JPG
Pic1.JPG [ 73.96 KiB | Viewed 35745 times ]
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: gabrielmr85 and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  

Protected by Anti-Spam ACP Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group