Ulogd

Z Wiki UnArt Slavičín
Skočit na navigaciSkočit na vyhledávání

Ulogd je daemon od tvůrců iptables či ipsetu pro monitorování provozu. Umožnuje logovat spojení do textového souboru nebo i do databáze. Bohužel stále neexistuje balík pro Debian, takže se musí instalovat ručně.

Závislosti

Nejdříve je nutné zkontrolovat, zda-li je zapnuté sledování spojení conntrackem jdoucí přes NAT:

echo "1" > /proc/sys/net/netfilter/nf_conntrack_acct

Trvalé uložení přidáním řádku do /etc/sysctl.conf:

net.netfilter.nf_conntrack_acct = 1

Nainstalujeme:

apt-get install bzip2 libnfnetlink-dev libmysqlclient-dev libpcap-dev conntrack automake libtool autoconf make

Zavedeme moduly do jádra:

modprobe nf_conntrack
modprobe nf_conntrack_ipv4
modprobe nf_conntrack_netlink

Pro automatické zavedení po startu přidejte do /etc/modules řádky:

nf_conntrack
nf_conntrack_ipv4
nf_conntrack_netlink

Postupně ručně nainstalujeme další potřebné programy od netfilter:

cd /tmp/
wget http://www.netfilter.org/projects/libnfnetlink/files/libnfnetlink-1.0.1.tar.bz2
tar xjvf libnfnetlink-1.0.1.tar.bz2 
cd libnfnetlink-1.0.1/
./configure 
make
make install
cd /tmp/
wget http://www.netfilter.org/projects/libmnl/files/libmnl-1.0.3.tar.bz2
tar xjvf libmnl-1.0.3.tar.bz2
cd libmnl-1.0.3
./configure
make
make install
cd /tmp/
wget http://www.netfilter.org/projects/libnetfilter_acct/files/libnetfilter_acct-1.0.2.tar.bz2
tar xjvf libnetfilter_acct-1.0.2.tar.bz2
cd libnetfilter_acct-1.0.2/
./configure
make
make install
cd /tmp/
wget http://www.netfilter.org/projects/libnetfilter_conntrack/files/libnetfilter_conntrack-1.0.3.tar.bz2
tar xjvf libnetfilter_conntrack-1.0.3.tar.bz2
cd libnetfilter_conntrack-1.0.3/
./configure
make
make install
cd /tmp/
wget http://www.netfilter.org/projects/libnetfilter_log/files/libnetfilter_log-1.0.1.tar.bz2
tar xjvf libnetfilter_log-1.0.1.tar.bz2
cd libnetfilter_log-1.0.1/
./configure
make
make install

Instalace

Stáhneme a rozbalíme:

cd /tmp/
wget http://www.netfilter.org/projects/ulogd/files/ulogd-2.0.2.tar.bz2
tar jxvf ulogd-2.0.2.tar.bz2

Tomáš Dulík napsal modul pro filtrování spojení na minimální množství přenesených dat. Jeho instalace:

cd /tmp/ulogd-2.0.2/filter/
wget http://wiki.slavicin.unart.cz/images/1/17/ulogd_filter_BYTES.c
wget http://wiki.slavicin.unart.cz/images/1/17/ulogd_filter_makefile_am_dulik.patch -O /tmp/ulogd_filter_makefile_am_dulik.patch
patch -p0 Makefile.am /tmp/ulogd_filter_makefile_am_dulik.patch
rm Makefile.in
cd ../
autoheader && aclocal && automake && autoconf && autoreconf

Nyní již mělo stačit:

./configure
make
make install

Konfigurace

Vzorový konfigurační soubor - uložte do /usr/local/etc/ulogd.conf.

Upravte hodnoty:

  • db = název databáze,
  • host = adresa vašeho MySQL serveru,
  • user = uživatel v databázi,
  • table = tabulka v databázi,
  • pass = heslo k databázi,
  • procedure = MySQL funkce která se bude vzdáleně volat a bude zpracovávat spojení
# Example configuration for ulogd
# $Id$
# Adapted to Debian by Achilleas Kotsis <achille@debian.gr>

[global]
######################################################################
# GLOBAL OPTIONS
######################################################################


# logfile for status messages
logfile="/var/log/ulogd.log"

# loglevel: debug(1), info(3), notice(5), error(7) or fatal(8)
loglevel=1

######################################################################
# PLUGIN OPTIONS
######################################################################

# We have to configure and load all the plugins we want to use

# general rules:
# 1. load the plugins _first_ from the global section
# 2. options for each plugin in seperate section below


plugin="/usr/local/lib/ulogd/ulogd_inppkt_NFLOG.so"
#plugin="/usr/local/lib/ulogd/ulogd_inppkt_ULOG.so"
#plugin="/usr/local/lib/ulogd/ulogd_inppkt_UNIXSOCK.so"
plugin="/usr/local/lib/ulogd/ulogd_inpflow_NFCT.so"
plugin="/usr/local/lib/ulogd/ulogd_filter_IFINDEX.so"
plugin="/usr/local/lib/ulogd/ulogd_filter_IP2STR.so"
plugin="/usr/local/lib/ulogd/ulogd_filter_IP2BIN.so"
plugin="/usr/local/lib/ulogd/ulogd_filter_PRINTPKT.so"
plugin="/usr/local/lib/ulogd/ulogd_filter_HWHDR.so"
plugin="/usr/local/lib/ulogd/ulogd_filter_PRINTFLOW.so"
plugin="/usr/local/lib/ulogd/ulogd_filter_MARK.so"
plugin="/usr/local/lib/ulogd/ulogd_output_LOGEMU.so"
plugin="/usr/local/lib/ulogd/ulogd_output_SYSLOG.so"
#plugin="/usr/local/lib/ulogd/ulogd_output_XML.so"
#plugin="/usr/local/lib/ulogd/ulogd_output_SQLITE3.so"
#plugin="/usr/local/lib/ulogd/ulogd_output_OPRINT.so"
#plugin="/usr/local/lib/ulogd/ulogd_output_NACCT.so"
#plugin="/usr/local/lib/ulogd/ulogd_output_PCAP.so"
#plugin="/usr/local/lib/ulogd/ulogd_output_PGSQL.so"
plugin="/usr/local/lib/ulogd/ulogd_output_MYSQL.so"
#plugin="/usr/local/lib/ulogd/ulogd_output_DBI.so"
plugin="/usr/local/lib/ulogd/ulogd_raw2packet_BASE.so"
plugin="/usr/local/lib/ulogd/ulogd_filter_BYTES.so"

stack=ct_destroy:NFCT,filter_bytes:BYTES,mysql_ct:MYSQL

[filter_bytes]
#tohle odfiltruje vsechna spojeni, ktera maji download < reply_bytes a upload < orig_bytes
orig_bytes=2000
reply_bytes=2000

[ct_destroy]
hash_enable=1
#we want to log the whole communication from the first packet, therefore we need 
#the events "CREATE" and "DESTROY"  
event_mask=5

#[mark_big_destroyed]
#choose another value if you use the connmark bit 0x100 for something else! 
#mark = 0x100
#mask = 0x100
# iptables -t mangle -I POSTROUTING 1 -m connbytes --connbytes 1000: --connbytes-dir both --connbytes-mode bytes -j CONNMARK --or-mark 0x100

[mysql_ct]
db="freenetis"
host="127.0.0.1"
user="ulogd"
table="ulog2_ct"
pass="MTP3DnJXky"
procedure="INSERT_CT"

# this is a stack for logging packet send by system via LOGEMU
#stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU

# this is a stack for packet-based logging via LOGEMU
#stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU

# this is a stack for ULOG packet-based logging via LOGEMU
#stack=ulog1:ULOG,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU

# this is a stack for packet-based logging via LOGEMU with filtering on MARK
#stack=log2:NFLOG,mark1:MARK,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU

# this is a stack for flow-based logging via LOGEMU
#stack=ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,emu1:LOGEMU

# this is a stack for flow-based logging via OPRINT
#stack=ct1:NFCT,op1:OPRINT

# this is a stack for NFLOG packet-based logging to PCAP
#stack=log2:NFLOG,base1:BASE,pcap1:PCAP

# this is a stack for logging packet to MySQL
#stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2bin1:IP2BIN,mac2str1:HWHDR,mysql1:MYSQL

# this is a stack for logging packet to PGsql after a collect via NFLOG
#stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:HWHDR,pgsql1:PGSQL

# this is a stack for logging packets to syslog after a collect via NFLOG
#stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG

# this is a stack for flow-based logging to MySQL
#stack=ct1:NFCT,ip2bin1:IP2BIN,mysql2:MYSQL

# this is a stack for flow-based logging to PGSQL
#stack=ct1:NFCT,ip2str1:IP2STR,pgsql2:PGSQL

# this is a stack for flow-based logging to PGSQL without local hash
#stack=ct1:NFCT,ip2str1:IP2STR,pgsql3:PGSQL


# this is a stack for flow-based logging in NACCT compatible format
#stack=ct1:NFCT,ip2str1:IP2STR,nacct1:NACCT

#[ct1]
#netlink_socket_buffer_size=217088
#netlink_socket_buffer_maxsize=1085440

#[ct2]
#netlink_socket_buffer_size=217088
#netlink_socket_buffer_maxsize=1085440
#hash_enable=0

# Logging of system packet through NFLOG
#[log1]
# netlink multicast group (the same as the iptables --nflog-group param)
# Group O is used by the kernel to log connection tracking invalid message
group=0
#netlink_socket_buffer_size=217088
#netlink_socket_buffer_maxsize=1085440
# set number of packet to queue inside kernel
#netlink_qthreshold=1
# set the delay before flushing packet in the queue inside kernel (in ms)
#netlink_qtimeout=1000

# packet logging through NFLOG for group 1
#[log2]
# netlink multicast group (the same as the iptables --nflog-group param)
group=1 # Group has to be different from the one use in log1
#netlink_socket_buffer_size=217088
#netlink_socket_buffer_maxsize=1085440
# If your kernel is older than 2.6.29 and if a NFLOG input plugin with
# group 0 is not used by any stack, you need to have at least one NFLOG
# input plugin with bind set to 1. If you don't do that you may not
# receive any message from the kernel.
#bind=1

# packet logging through NFLOG for group 2, numeric_label is
# set to 1
#[log3]
# netlink multicast group (the same as the iptables --nflog-group param)
#group=2 # Group has to be different from the one use in log1/log2
#numeric_label=1 # you can label the log info based on the packet verdict
#netlink_socket_buffer_size=217088
#netlink_socket_buffer_maxsize=1085440
#bind=1

#[ulog1]
# netlink multicast group (the same as the iptables --ulog-nlgroup param)
#nlgroup=1
#numeric_label=0 # optional argument

#[emu1]
#file="/var/log/ulogd_syslogemu.log"
#sync=1

#[op1]
#file="/var/log/ulogd_oprint.log"
#sync=1

#[pcap1]
#sync=1

#[mysql1]
#db="nulog"
#host="localhost"
#user="nupik"
#table="ulog"
#pass="changeme"
#procedure="INSERT_PACKET_FULL"

#[mysql2]
#db="nulog"
#host="localhost"
#user="nupik"
#table="ulog"
#pass="changeme"
#procedure="INSERT_CT"

#[pgsql1]
#db="nulog"
#host="localhost"
#user="nupik"
#table="ulog"
#pass="changeme"
#procedure="INSERT_PACKET_FULL"

#[pgsql2]
#db="nulog"
#host="localhost"
#user="nupik"
#table="ulog2_ct"
#pass="changeme"
#procedure="INSERT_CT"

#[pgsql3]
#db="nulog"
#host="localhost"
#user="nupik"
#table="ulog2_ct"
#pass="changeme"
#procedure="INSERT_OR_REPLACE_CT"

#[dbi1]
#db="ulog2"
#dbtype="pgsql"
#host="localhost"
#user="ulog2"
#table="ulog"
#pass="ulog2"
#procedure="INSERT_PACKET_FULL"

#[sys2]
#facility=LOG_LOCAL2

#[nacct1]
#sync = 1

#[mark1]
#mark = 1

Spuštění

Spuštění jako daemon:

ulogd -d

Pokud něco nefunguje, chybu hledat ve /var/log/ulogd.