# net-acct loggt falsch



## alois (21. Juni 2006)

Hallo Leute,

folgendes Problem:

Ich habe auf einem Server net-acct laufen, der loggt ja bekanntlich Netzwerk-Pakete in eine Datei und lässt sich, kombiniert mit dem Skript nacctstats, prima in eine Mail verpacken.

Das Skript nacctstats sagt mir jetzt aber, dass es corrupted logfile entries gäbe...

Das versteh ich nicht, wie kommen die zustande? Ich habe das Problem schon öfters gehabt, meistens ließ es sich beheben, aber immer mit unterschiedlichen Aktionen (Dienst neustarten, in der Konfig Outputs auskommentieren usw.), diesmal klappt aber gar nichts.

Hier meine Konfig:


```
flush 300                       # flush every 5 minutes
                                # this gives the interval in seconds
                                # when the accumulated data is flushed
                                # to the output file

fdelay 60                       # this defines after how many seconds
                                # of inactivity a certain record of
                                # traffic information may be written out
                                # this helps making the logfiles smaller
                                # since only one output record will be
                                # generated for related traffic

file /var/log/net-acct          # defines output file
                                # this is the regular output file of
                                # the daemon

dumpfile /var/log/net-acct-dump # defines dump file
                                # this is used to dump the not yet
                                # written information so this is not
                                # lost should the machine crash
                                # on startup an eventuelly existing
                                # file of this name will be moved
                                # to *.o

notdev eth1                     # Dont log entries for this device
                                # Use this on routers that you dont
                                # log forwarded packets twice.

device eth0                     # device to put into promiscous mode
                                # you can specify as many as you want
                                # and you don't have to specify one
                                # (e.g. if this runs on your router)

# iflimit eth0                  # on machines with multiple interfaces,
                                # log only packets on this interface
                                # mutually exclusive with hostlimit

ignoremask 255.255.255.0        # Ignore traffic on same class C net
                                # This means traffic that is on
                                # your local LAN is not counted.
                                # This is useful for NFS etc.
                                # Not giving this option causes everything
                                # to be counted.
                                # This can degrade performance seriously!

ignorenet 127.0.0.0 255.0.0.0   # ignore loopback net
                                # You can define as many ignorenets as
                                # you want. Ignoring a net with
                                # ignorenet is not as efficient as
                                # ignoremask. Thus you should exclude
                                # your local network with ignoremask,
                                # not with ignorenet (although this is
                                # is possible).

# masqif  192.168.72.141 # if compiled with -DREMAP_MASQUERADE:
 # ipnumber you are masquerading as,
 # this remaps ip/port for incoming
 # connections (e.g. ftp-data) to ip/port
 # of the masqueraded destination

debug 1024                        # set debugging level
debugfile /tmp/nacctd.debug     # where to put debugging info

# Device configuration
# Defines where the real data starts for each type of interface
# First give the name prefix, then the offset in bytes to the start
# of the real data, then the offset of the type field in bytes. If
# there is no type field, just give a 0.
# Don't specify SLIP or PPP devices here, otherwise association of
# dynamic ip-addresses with usernames won't work
# Put device types with more traffic last.

headers tr      40      38
headers lo      14      12
headers isdn    4       0
# headers isdn  14      0       # for hdlc/trans/cisco and hdlc/trans/raw
headers eth     14      12
headers plip    14      12

# For dynamic slip/ppp

dynamicip /var/run              # where files for dynamic ip are stored
dynamicnet 202.36.94.0 255.255.255.0    # on which network are all the
                                        # dynamically assigned adresses

exclude-name-lookup     202.36.94.1     255.255.255.255
exclude-name-lookup     202.36.94.253   255.255.255.255

# hostlimit 12.34.56.78         # log only packets to/from this host
# hostlimit 34.56.78.12         # and this one too
                                # this option is mutually exclusive with iflimit

# For disabling certain fields
# This is commented out by default
# Field 7 is disabled by default so we match the old (pre 0.5) output format
# disable 2                     # disable output of protocol
# disable 3                     # disable output of source address
# disable 4                     # disable output of source port
# disable 5                     # disable output of destination address
# disable 6                     # disable output of destination port
disable 7                       # disable output of packets count
# disable 8                     # disable output of byte count
# disable 9                     # disable output of device name
# disable 10                    # disable output of user name

# For excluding certain hosts from ignoring
# This can be useful for a kludgy way to account for proxy traffic, you'd then
# add your proxy server here.
# I guess I should consider using some filter language...
# This is commented out by default
# This does not affect addresses excluded by ignoremask,
# as this would impose too much of a performance penalty
# dontignore 127.3.4.5 255.255.255.255  # Don't ignore host 127.3.4.5,
                                        # although it would be excluded by
                                        # above ignorenet statement

# line sl0 ttyS0                # One way to
                                # assign traffic to a user is if both
                                # of the following conditions meet:
                                # a) nacctd runs on the ppp/slip server
                                # b) the relation between network interface
                                # (e.g. sl0, ppp1) and serial line (e.g.
                                # ttyS1) is fixed.
                                # You can give as many line statements
                                # as you want
                                # There is a better way now, so this is
                                # commented out
```

Hat jemand eine Idee? 

Der Server ist von Hetzner, angebunden per eth0 an das Internet, die Karte ist was geläufiges von VIA.

Gruß,
alois


----------

