I would like to log a warning message to /var/log/messages file if either ingress or egress bandwidth on eth0 interface is over a certain threshold. I could do this with a script which reads the value of /sys/devices/virtual/net/eth0/statistics/[rt]x_bytes file, stores the value, sleeps a second, reads those very same values again, calculates the amount of bits per second sent, compares the result with certain threshold and if higher, writes a message to /var/log/messages file. However, is there a smarter method? I mean for example with iptables or tc which could create a log message in case certain bandwidth threshold on interface is exceeded?
3 Answers
You can use vnstat with -tr option, then compare with threshold and write log if exceeded.
-tr time
Calculate how much traffic goes through the selected interface during the giventimeseconds. Thetimewill be 5 seconds if a number parameter isn't included.
I finally found the solution which I was looking for. Iptables has rateest module which does exactly that. For example:
# collects all ingress traffic to RATEEST target
iptables -A INPUT -j RATEEST --rateest-name RE1 --rateest-interval 500.0ms --rateest-ewmalog 1s
# creates a log entry(jumps to LOG target) if rate is greater than 10Mbps
iptables -A INPUT -m rateest --rateest RE1 --rateest-gt --rateest-bps 10Mbps -j LOG --log-prefix "Ingress bandwidth >10Mbps "
netstat -i
Just for starters. Look at the headers for RX-OK and TX-OK. Set this up with cron and that's it.
#!/bin/bash
# Mar 2015
# Get bytes transmitted and received on eth0 and log msg.
echo " "
bytein=`netstat -i | grep eth0 | awk '{print $4 }'`
byteout=`netstat -i | grep eth0 | awk '{print $8 }'`
total=$((${bytein} + ${byteout}))
# echo "IN=$bytein, OUT=$byteout, TOTAL=$total"
max=1000000
outfile=/var/log/messages
msg="Bandwidth has exceeded $max bytes"
if [ $total -gt $max ]; then
echo "$msg" >> $outfile
echo $msg
fi
What's the big picture OP? I could see doing this for different users to limit their bandwidth, by why do this for the eth0 interface?
-
1They're aware of how to get the information through a script, they're asking for a more standard and automatic way of doing it using common OS mechanisms rather than something they made themselves.Bratchley– Bratchley2015-03-17 17:41:18 +00:00Commented Mar 17, 2015 at 17:41
-
@Bratchley, it's using common OS mechanisms (kernel packet/byte counters) and it's not a particularly complicated script. That's a good use of the tools available. IMO, of course.Chris Davies– Chris Davies2015-03-17 22:29:26 +00:00Commented Mar 17, 2015 at 22:29
-
@roaima As Bratchley already mentioned, I would like to avoid scripts for this task as I need to keep those running in background in an endless loop. To be honest, I was fairly sure that such functionality is built into NetFilter or at least extensible with NetFilter modules. @user77853
eth0interface is dedicated for one VPN tunnel. However, as I mentioned in my initial post/question, I'm not looking for a script to log a warning message if either ingress or egress bandwidth on interface is over a certain threshold.Martin– Martin2015-03-18 00:14:24 +00:00Commented Mar 18, 2015 at 0:14
iptables -m limitactually imposes limits by itself. I think it's just used for matching traffic according to rate. You may try to use it with-j LOGto see if it lets the activity happen and it just logs to syslog.sysstat/sa/sar?iptableslimitmodule.limitmodule seems to be suitable for logging relatively infrequent events. For exampleiptables -I INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOGwould log all the ingress ICMP messages up to 1 log entry per second, i.e. even if more than one ICMP message per second is received, only one is logged. In a nutshell,iptables -m limitdoes not seem to be a correct tool for this. @Ulrich Schwarz as much as I tested withsar, it simply seems to parse/procso this gives no additional value.--lower-limitoption that would allow you to-j LOGif traffic gets above a certain PPS. That would likely create a large volume of logs thereafter, though. It might put you in the right direction.fuzzycounts packets in second(pps) not bits in second(bps) and as I have packets with variable length, then this would not work for me. In addition, the wayfuzzymodule operates is not quite what I need- for example even if I could specify--lower-limit 1Mbpsand--upper-limit 10Mbpsand traffic is bit over 1Mbps, then only few of the 1Mbps violations are logged. If traffic peaks to 10Mbps, then almost all the violations are logged.fuzzymodule seems to be for (D)DOS mitigation.