Ulogd: Porovnání verzí
Bez shrnutí editace |
|||
(Není zobrazeno 32 mezilehlých verzí od stejného uživatele.) | |||
Řádek 1: | Řádek 1: | ||
Ulogd je daemon od tvůrců iptables či ipsetu pro monitorování provozu. Umožnuje logovat spojení do textového souboru nebo i do databáze. Bohužel stále neexistuje balík pro Debian, takže se musí instalovat ručně. | |||
=== Závislosti === | |||
Nejdříve je nutné zkontrolovat, zda-li je zapnuté sledování spojení conntrackem jdoucí přes NAT: | |||
echo "1" > /proc/sys/net/netfilter/nf_conntrack_acct | |||
Trvalé uložení přidáním řádku do /etc/sysctl.conf: | |||
net.netfilter.nf_conntrack_acct = 1 | |||
Nainstalujeme: | |||
apt-get install bzip2 libnfnetlink-dev libmysqlclient-dev libpcap-dev conntrack automake libtool autoconf make | |||
Zavedeme moduly do jádra: | |||
modprobe nf_conntrack | |||
modprobe nf_conntrack_ipv4 | |||
modprobe nf_conntrack_netlink | |||
Pro automatické zavedení po startu přidejte do /etc/modules řádky: | |||
nf_conntrack | |||
nf_conntrack_ipv4 | |||
nf_conntrack_netlink | |||
Postupně ručně nainstalujeme další potřebné programy od netfilter: | |||
cd /tmp/ | |||
wget http://www.netfilter.org/projects/libnfnetlink/files/libnfnetlink-1.0.1.tar.bz2 | |||
tar xjvf libnfnetlink-1.0.1.tar.bz2 | |||
cd libnfnetlink-1.0.1/ | |||
./configure | |||
make | |||
make install | |||
cd /tmp/ | |||
wget http://www.netfilter.org/projects/libmnl/files/libmnl-1.0.3.tar.bz2 | wget http://www.netfilter.org/projects/libmnl/files/libmnl-1.0.3.tar.bz2 | ||
tar xjvf libmnl-1.0.3.tar.bz2 | tar xjvf libmnl-1.0.3.tar.bz2 | ||
Řádek 8: | Řádek 45: | ||
make install | make install | ||
wget http://www.netfilter.org/projects/libnetfilter_acct/files/libnetfilter_acct-1.0. | cd /tmp/ | ||
tar xjvf libnetfilter_acct-1.0. | wget http://www.netfilter.org/projects/libnetfilter_acct/files/libnetfilter_acct-1.0.2.tar.bz2 | ||
cd libnetfilter_acct-1.0. | tar xjvf libnetfilter_acct-1.0.2.tar.bz2 | ||
cd libnetfilter_acct-1.0.2/ | |||
./configure | ./configure | ||
make | make | ||
make install | make install | ||
wget http://www.netfilter.org/projects/libnetfilter_conntrack/files/libnetfilter_conntrack-1.0. | cd /tmp/ | ||
tar xjvf libnetfilter_conntrack-1.0. | wget http://www.netfilter.org/projects/libnetfilter_conntrack/files/libnetfilter_conntrack-1.0.3.tar.bz2 | ||
cd libnetfilter_conntrack-1.0. | tar xjvf libnetfilter_conntrack-1.0.3.tar.bz2 | ||
cd libnetfilter_conntrack-1.0.3/ | |||
./configure | ./configure | ||
make | make | ||
make install | make install | ||
cd /tmp/ | |||
wget http://www.netfilter.org/projects/libnetfilter_log/files/libnetfilter_log-1.0.1.tar.bz2 | wget http://www.netfilter.org/projects/libnetfilter_log/files/libnetfilter_log-1.0.1.tar.bz2 | ||
tar xjvf libnetfilter_log-1.0.1.tar.bz2 | tar xjvf libnetfilter_log-1.0.1.tar.bz2 | ||
Řádek 29: | Řádek 69: | ||
make install | make install | ||
=== Instalace === | |||
Stáhneme a rozbalíme: | |||
cd filter | cd /tmp/ | ||
wget http://wiki.slavicin.unart.cz/images/1/17/ | wget http://www.netfilter.org/projects/ulogd/files/ulogd-2.0.2.tar.bz2 | ||
tar jxvf ulogd-2.0.2.tar.bz2 | |||
Tomáš Dulík napsal modul pro filtrování spojení na minimální množství přenesených dat. Jeho instalace: | |||
cd /tmp/ulogd-2.0.2/filter/ | |||
wget http://wiki.slavicin.unart.cz/images/1/17/ulogd_filter_BYTES.c | |||
wget http://wiki.slavicin.unart.cz/images/1/17/ulogd_filter_makefile_am_dulik.patch -O /tmp/ulogd_filter_makefile_am_dulik.patch | |||
patch -p0 Makefile.am /tmp/ulogd_filter_makefile_am_dulik.patch | |||
rm Makefile.in | rm Makefile.in | ||
cd ../ | |||
autoheader && aclocal && automake && autoconf && autoreconf | |||
Nyní již mělo stačit: | |||
./configure | |||
make | |||
make install | |||
=== Konfigurace === | |||
Vzorový konfigurační soubor - uložte do /usr/local/etc/ulogd.conf. | |||
Upravte hodnoty: | |||
* db = název databáze, | |||
* host = adresa vašeho MySQL serveru, | |||
* user = uživatel v databázi, | |||
* table = tabulka v databázi, | |||
* pass = heslo k databázi, | |||
* procedure = MySQL funkce která se bude vzdáleně volat a bude zpracovávat spojení | |||
# Example configuration for ulogd | |||
# $Id$ | |||
# Adapted to Debian by Achilleas Kotsis <achille@debian.gr> | |||
[global] | |||
###################################################################### | |||
# GLOBAL OPTIONS | |||
###################################################################### | |||
# logfile for status messages | |||
logfile="/var/log/ulogd.log" | |||
# loglevel: debug(1), info(3), notice(5), error(7) or fatal(8) | |||
loglevel=1 | |||
###################################################################### | |||
# PLUGIN OPTIONS | |||
###################################################################### | |||
# We have to configure and load all the plugins we want to use | |||
# general rules: | |||
# 1. load the plugins _first_ from the global section | |||
# 2. options for each plugin in seperate section below | |||
plugin="/usr/local/lib/ulogd/ulogd_inppkt_NFLOG.so" | |||
#plugin="/usr/local/lib/ulogd/ulogd_inppkt_ULOG.so" | |||
#plugin="/usr/local/lib/ulogd/ulogd_inppkt_UNIXSOCK.so" | |||
plugin="/usr/local/lib/ulogd/ulogd_inpflow_NFCT.so" | |||
plugin="/usr/local/lib/ulogd/ulogd_filter_IFINDEX.so" | |||
plugin="/usr/local/lib/ulogd/ulogd_filter_IP2STR.so" | |||
plugin="/usr/local/lib/ulogd/ulogd_filter_IP2BIN.so" | |||
plugin="/usr/local/lib/ulogd/ulogd_filter_PRINTPKT.so" | |||
plugin="/usr/local/lib/ulogd/ulogd_filter_HWHDR.so" | |||
plugin="/usr/local/lib/ulogd/ulogd_filter_PRINTFLOW.so" | |||
plugin="/usr/local/lib/ulogd/ulogd_filter_MARK.so" | |||
plugin="/usr/local/lib/ulogd/ulogd_output_LOGEMU.so" | |||
plugin="/usr/local/lib/ulogd/ulogd_output_SYSLOG.so" | |||
#plugin="/usr/local/lib/ulogd/ulogd_output_XML.so" | |||
#plugin="/usr/local/lib/ulogd/ulogd_output_SQLITE3.so" | |||
#plugin="/usr/local/lib/ulogd/ulogd_output_OPRINT.so" | |||
#plugin="/usr/local/lib/ulogd/ulogd_output_NACCT.so" | |||
#plugin="/usr/local/lib/ulogd/ulogd_output_PCAP.so" | |||
#plugin="/usr/local/lib/ulogd/ulogd_output_PGSQL.so" | |||
plugin="/usr/local/lib/ulogd/ulogd_output_MYSQL.so" | |||
#plugin="/usr/local/lib/ulogd/ulogd_output_DBI.so" | |||
plugin="/usr/local/lib/ulogd/ulogd_raw2packet_BASE.so" | |||
plugin="/usr/local/lib/ulogd/ulogd_filter_BYTES.so" | |||
stack=ct_destroy:NFCT,filter_bytes:BYTES,mysql_ct:MYSQL | |||
[filter_bytes] | |||
#tohle odfiltruje vsechna spojeni, ktera maji download < reply_bytes a upload < orig_bytes | |||
orig_bytes=2000 | |||
reply_bytes=2000 | |||
[ct_destroy] | |||
hash_enable=1 | |||
#we want to log the whole communication from the first packet, therefore we need | |||
#the events "CREATE" and "DESTROY" | |||
event_mask=5 | |||
#[mark_big_destroyed] | |||
#choose another value if you use the connmark bit 0x100 for something else! | |||
#mark = 0x100 | |||
#mask = 0x100 | |||
# iptables -t mangle -I POSTROUTING 1 -m connbytes --connbytes 1000: --connbytes-dir both --connbytes-mode bytes -j CONNMARK --or-mark 0x100 | |||
[mysql_ct] | |||
db="freenetis" | |||
host="127.0.0.1" | |||
user="ulogd" | |||
table="ulog2_ct" | |||
pass="MTP3DnJXky" | |||
procedure="INSERT_CT" | |||
# this is a stack for logging packet send by system via LOGEMU | |||
#stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU | |||
# this is a stack for packet-based logging via LOGEMU | |||
#stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU | |||
# this is a stack for ULOG packet-based logging via LOGEMU | |||
#stack=ulog1:ULOG,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU | |||
# this is a stack for packet-based logging via LOGEMU with filtering on MARK | |||
#stack=log2:NFLOG,mark1:MARK,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU | |||
# this is a stack for flow-based logging via LOGEMU | |||
#stack=ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,emu1:LOGEMU | |||
# this is a stack for flow-based logging via OPRINT | |||
#stack=ct1:NFCT,op1:OPRINT | |||
# this is a stack for NFLOG packet-based logging to PCAP | |||
#stack=log2:NFLOG,base1:BASE,pcap1:PCAP | |||
# this is a stack for logging packet to MySQL | |||
#stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2bin1:IP2BIN,mac2str1:HWHDR,mysql1:MYSQL | |||
# this is a stack for logging packet to PGsql after a collect via NFLOG | |||
#stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:HWHDR,pgsql1:PGSQL | |||
# this is a stack for logging packets to syslog after a collect via NFLOG | |||
#stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG | |||
# this is a stack for flow-based logging to MySQL | |||
#stack=ct1:NFCT,ip2bin1:IP2BIN,mysql2:MYSQL | |||
# this is a stack for flow-based logging to PGSQL | |||
#stack=ct1:NFCT,ip2str1:IP2STR,pgsql2:PGSQL | |||
# this is a stack for flow-based logging to PGSQL without local hash | |||
#stack=ct1:NFCT,ip2str1:IP2STR,pgsql3:PGSQL | |||
# this is a stack for flow-based logging in NACCT compatible format | |||
#stack=ct1:NFCT,ip2str1:IP2STR,nacct1:NACCT | |||
#[ct1] | |||
#netlink_socket_buffer_size=217088 | |||
#netlink_socket_buffer_maxsize=1085440 | |||
#[ct2] | |||
#netlink_socket_buffer_size=217088 | |||
#netlink_socket_buffer_maxsize=1085440 | |||
#hash_enable=0 | |||
# Logging of system packet through NFLOG | |||
#[log1] | |||
# netlink multicast group (the same as the iptables --nflog-group param) | |||
# Group O is used by the kernel to log connection tracking invalid message | |||
group=0 | |||
#netlink_socket_buffer_size=217088 | |||
#netlink_socket_buffer_maxsize=1085440 | |||
# set number of packet to queue inside kernel | |||
#netlink_qthreshold=1 | |||
# set the delay before flushing packet in the queue inside kernel (in ms) | |||
#netlink_qtimeout=1000 | |||
# packet logging through NFLOG for group 1 | |||
#[log2] | |||
# netlink multicast group (the same as the iptables --nflog-group param) | |||
group=1 # Group has to be different from the one use in log1 | |||
#netlink_socket_buffer_size=217088 | |||
#netlink_socket_buffer_maxsize=1085440 | |||
# If your kernel is older than 2.6.29 and if a NFLOG input plugin with | |||
# group 0 is not used by any stack, you need to have at least one NFLOG | |||
# input plugin with bind set to 1. If you don't do that you may not | |||
# receive any message from the kernel. | |||
#bind=1 | |||
# packet logging through NFLOG for group 2, numeric_label is | |||
# set to 1 | |||
#[log3] | |||
# netlink multicast group (the same as the iptables --nflog-group param) | |||
#group=2 # Group has to be different from the one use in log1/log2 | |||
#numeric_label=1 # you can label the log info based on the packet verdict | |||
#netlink_socket_buffer_size=217088 | |||
#netlink_socket_buffer_maxsize=1085440 | |||
#bind=1 | |||
#[ulog1] | |||
# netlink multicast group (the same as the iptables --ulog-nlgroup param) | |||
#nlgroup=1 | |||
#numeric_label=0 # optional argument | |||
#[emu1] | |||
#file="/var/log/ulogd_syslogemu.log" | |||
#sync=1 | |||
#[op1] | |||
#file="/var/log/ulogd_oprint.log" | |||
#sync=1 | |||
#[pcap1] | |||
#sync=1 | |||
#[mysql1] | |||
#db="nulog" | |||
#host="localhost" | |||
#user="nupik" | |||
#table="ulog" | |||
#pass="changeme" | |||
#procedure="INSERT_PACKET_FULL" | |||
#[mysql2] | |||
#db="nulog" | |||
#host="localhost" | |||
#user="nupik" | |||
#table="ulog" | |||
#pass="changeme" | |||
#procedure="INSERT_CT" | |||
#[pgsql1] | |||
#db="nulog" | |||
#host="localhost" | |||
#user="nupik" | |||
#table="ulog" | |||
#pass="changeme" | |||
#procedure="INSERT_PACKET_FULL" | |||
#[pgsql2] | |||
#db="nulog" | |||
#host="localhost" | |||
#user="nupik" | |||
#table="ulog2_ct" | |||
#pass="changeme" | |||
#procedure="INSERT_CT" | |||
#[pgsql3] | |||
#db="nulog" | |||
#host="localhost" | |||
#user="nupik" | |||
#table="ulog2_ct" | |||
#pass="changeme" | |||
#procedure="INSERT_OR_REPLACE_CT" | |||
#[dbi1] | |||
#db="ulog2" | |||
#dbtype="pgsql" | |||
#host="localhost" | |||
#user="ulog2" | |||
#table="ulog" | |||
#pass="ulog2" | |||
#procedure="INSERT_PACKET_FULL" | |||
#[sys2] | |||
#facility=LOG_LOCAL2 | |||
#[nacct1] | |||
#sync = 1 | |||
#[mark1] | |||
#mark = 1 | |||
=== Spuštění === | |||
Spuštění jako daemon: | |||
ulogd -d | |||
Pokud něco nefunguje, chybu hledat ve /var/log/ulogd. |
Aktuální verze z 27. 9. 2013, 16:12
Ulogd je daemon od tvůrců iptables či ipsetu pro monitorování provozu. Umožnuje logovat spojení do textového souboru nebo i do databáze. Bohužel stále neexistuje balík pro Debian, takže se musí instalovat ručně.
Závislosti
Nejdříve je nutné zkontrolovat, zda-li je zapnuté sledování spojení conntrackem jdoucí přes NAT:
echo "1" > /proc/sys/net/netfilter/nf_conntrack_acct
Trvalé uložení přidáním řádku do /etc/sysctl.conf:
net.netfilter.nf_conntrack_acct = 1
Nainstalujeme:
apt-get install bzip2 libnfnetlink-dev libmysqlclient-dev libpcap-dev conntrack automake libtool autoconf make
Zavedeme moduly do jádra:
modprobe nf_conntrack modprobe nf_conntrack_ipv4 modprobe nf_conntrack_netlink
Pro automatické zavedení po startu přidejte do /etc/modules řádky:
nf_conntrack nf_conntrack_ipv4 nf_conntrack_netlink
Postupně ručně nainstalujeme další potřebné programy od netfilter:
cd /tmp/ wget http://www.netfilter.org/projects/libnfnetlink/files/libnfnetlink-1.0.1.tar.bz2 tar xjvf libnfnetlink-1.0.1.tar.bz2 cd libnfnetlink-1.0.1/ ./configure make make install
cd /tmp/ wget http://www.netfilter.org/projects/libmnl/files/libmnl-1.0.3.tar.bz2 tar xjvf libmnl-1.0.3.tar.bz2 cd libmnl-1.0.3 ./configure make make install
cd /tmp/ wget http://www.netfilter.org/projects/libnetfilter_acct/files/libnetfilter_acct-1.0.2.tar.bz2 tar xjvf libnetfilter_acct-1.0.2.tar.bz2 cd libnetfilter_acct-1.0.2/ ./configure make make install
cd /tmp/ wget http://www.netfilter.org/projects/libnetfilter_conntrack/files/libnetfilter_conntrack-1.0.3.tar.bz2 tar xjvf libnetfilter_conntrack-1.0.3.tar.bz2 cd libnetfilter_conntrack-1.0.3/ ./configure make make install
cd /tmp/ wget http://www.netfilter.org/projects/libnetfilter_log/files/libnetfilter_log-1.0.1.tar.bz2 tar xjvf libnetfilter_log-1.0.1.tar.bz2 cd libnetfilter_log-1.0.1/ ./configure make make install
Instalace
Stáhneme a rozbalíme:
cd /tmp/ wget http://www.netfilter.org/projects/ulogd/files/ulogd-2.0.2.tar.bz2 tar jxvf ulogd-2.0.2.tar.bz2
Tomáš Dulík napsal modul pro filtrování spojení na minimální množství přenesených dat. Jeho instalace:
cd /tmp/ulogd-2.0.2/filter/ wget http://wiki.slavicin.unart.cz/images/1/17/ulogd_filter_BYTES.c wget http://wiki.slavicin.unart.cz/images/1/17/ulogd_filter_makefile_am_dulik.patch -O /tmp/ulogd_filter_makefile_am_dulik.patch patch -p0 Makefile.am /tmp/ulogd_filter_makefile_am_dulik.patch rm Makefile.in cd ../ autoheader && aclocal && automake && autoconf && autoreconf
Nyní již mělo stačit:
./configure make make install
Konfigurace
Vzorový konfigurační soubor - uložte do /usr/local/etc/ulogd.conf.
Upravte hodnoty:
- db = název databáze,
- host = adresa vašeho MySQL serveru,
- user = uživatel v databázi,
- table = tabulka v databázi,
- pass = heslo k databázi,
- procedure = MySQL funkce která se bude vzdáleně volat a bude zpracovávat spojení
# Example configuration for ulogd # $Id$ # Adapted to Debian by Achilleas Kotsis <achille@debian.gr> [global] ###################################################################### # GLOBAL OPTIONS ###################################################################### # logfile for status messages logfile="/var/log/ulogd.log" # loglevel: debug(1), info(3), notice(5), error(7) or fatal(8) loglevel=1 ###################################################################### # PLUGIN OPTIONS ###################################################################### # We have to configure and load all the plugins we want to use # general rules: # 1. load the plugins _first_ from the global section # 2. options for each plugin in seperate section below plugin="/usr/local/lib/ulogd/ulogd_inppkt_NFLOG.so" #plugin="/usr/local/lib/ulogd/ulogd_inppkt_ULOG.so" #plugin="/usr/local/lib/ulogd/ulogd_inppkt_UNIXSOCK.so" plugin="/usr/local/lib/ulogd/ulogd_inpflow_NFCT.so" plugin="/usr/local/lib/ulogd/ulogd_filter_IFINDEX.so" plugin="/usr/local/lib/ulogd/ulogd_filter_IP2STR.so" plugin="/usr/local/lib/ulogd/ulogd_filter_IP2BIN.so" plugin="/usr/local/lib/ulogd/ulogd_filter_PRINTPKT.so" plugin="/usr/local/lib/ulogd/ulogd_filter_HWHDR.so" plugin="/usr/local/lib/ulogd/ulogd_filter_PRINTFLOW.so" plugin="/usr/local/lib/ulogd/ulogd_filter_MARK.so" plugin="/usr/local/lib/ulogd/ulogd_output_LOGEMU.so" plugin="/usr/local/lib/ulogd/ulogd_output_SYSLOG.so" #plugin="/usr/local/lib/ulogd/ulogd_output_XML.so" #plugin="/usr/local/lib/ulogd/ulogd_output_SQLITE3.so" #plugin="/usr/local/lib/ulogd/ulogd_output_OPRINT.so" #plugin="/usr/local/lib/ulogd/ulogd_output_NACCT.so" #plugin="/usr/local/lib/ulogd/ulogd_output_PCAP.so" #plugin="/usr/local/lib/ulogd/ulogd_output_PGSQL.so" plugin="/usr/local/lib/ulogd/ulogd_output_MYSQL.so" #plugin="/usr/local/lib/ulogd/ulogd_output_DBI.so" plugin="/usr/local/lib/ulogd/ulogd_raw2packet_BASE.so" plugin="/usr/local/lib/ulogd/ulogd_filter_BYTES.so" stack=ct_destroy:NFCT,filter_bytes:BYTES,mysql_ct:MYSQL [filter_bytes] #tohle odfiltruje vsechna spojeni, ktera maji download < reply_bytes a upload < orig_bytes orig_bytes=2000 reply_bytes=2000 [ct_destroy] hash_enable=1 #we want to log the whole communication from the first packet, therefore we need #the events "CREATE" and "DESTROY" event_mask=5 #[mark_big_destroyed] #choose another value if you use the connmark bit 0x100 for something else! #mark = 0x100 #mask = 0x100 # iptables -t mangle -I POSTROUTING 1 -m connbytes --connbytes 1000: --connbytes-dir both --connbytes-mode bytes -j CONNMARK --or-mark 0x100 [mysql_ct] db="freenetis" host="127.0.0.1" user="ulogd" table="ulog2_ct" pass="MTP3DnJXky" procedure="INSERT_CT" # this is a stack for logging packet send by system via LOGEMU #stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU # this is a stack for packet-based logging via LOGEMU #stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU # this is a stack for ULOG packet-based logging via LOGEMU #stack=ulog1:ULOG,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU # this is a stack for packet-based logging via LOGEMU with filtering on MARK #stack=log2:NFLOG,mark1:MARK,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU # this is a stack for flow-based logging via LOGEMU #stack=ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,emu1:LOGEMU # this is a stack for flow-based logging via OPRINT #stack=ct1:NFCT,op1:OPRINT # this is a stack for NFLOG packet-based logging to PCAP #stack=log2:NFLOG,base1:BASE,pcap1:PCAP # this is a stack for logging packet to MySQL #stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2bin1:IP2BIN,mac2str1:HWHDR,mysql1:MYSQL # this is a stack for logging packet to PGsql after a collect via NFLOG #stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:HWHDR,pgsql1:PGSQL # this is a stack for logging packets to syslog after a collect via NFLOG #stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG # this is a stack for flow-based logging to MySQL #stack=ct1:NFCT,ip2bin1:IP2BIN,mysql2:MYSQL # this is a stack for flow-based logging to PGSQL #stack=ct1:NFCT,ip2str1:IP2STR,pgsql2:PGSQL # this is a stack for flow-based logging to PGSQL without local hash #stack=ct1:NFCT,ip2str1:IP2STR,pgsql3:PGSQL # this is a stack for flow-based logging in NACCT compatible format #stack=ct1:NFCT,ip2str1:IP2STR,nacct1:NACCT #[ct1] #netlink_socket_buffer_size=217088 #netlink_socket_buffer_maxsize=1085440 #[ct2] #netlink_socket_buffer_size=217088 #netlink_socket_buffer_maxsize=1085440 #hash_enable=0 # Logging of system packet through NFLOG #[log1] # netlink multicast group (the same as the iptables --nflog-group param) # Group O is used by the kernel to log connection tracking invalid message group=0 #netlink_socket_buffer_size=217088 #netlink_socket_buffer_maxsize=1085440 # set number of packet to queue inside kernel #netlink_qthreshold=1 # set the delay before flushing packet in the queue inside kernel (in ms) #netlink_qtimeout=1000 # packet logging through NFLOG for group 1 #[log2] # netlink multicast group (the same as the iptables --nflog-group param) group=1 # Group has to be different from the one use in log1 #netlink_socket_buffer_size=217088 #netlink_socket_buffer_maxsize=1085440 # If your kernel is older than 2.6.29 and if a NFLOG input plugin with # group 0 is not used by any stack, you need to have at least one NFLOG # input plugin with bind set to 1. If you don't do that you may not # receive any message from the kernel. #bind=1 # packet logging through NFLOG for group 2, numeric_label is # set to 1 #[log3] # netlink multicast group (the same as the iptables --nflog-group param) #group=2 # Group has to be different from the one use in log1/log2 #numeric_label=1 # you can label the log info based on the packet verdict #netlink_socket_buffer_size=217088 #netlink_socket_buffer_maxsize=1085440 #bind=1 #[ulog1] # netlink multicast group (the same as the iptables --ulog-nlgroup param) #nlgroup=1 #numeric_label=0 # optional argument #[emu1] #file="/var/log/ulogd_syslogemu.log" #sync=1 #[op1] #file="/var/log/ulogd_oprint.log" #sync=1 #[pcap1] #sync=1 #[mysql1] #db="nulog" #host="localhost" #user="nupik" #table="ulog" #pass="changeme" #procedure="INSERT_PACKET_FULL" #[mysql2] #db="nulog" #host="localhost" #user="nupik" #table="ulog" #pass="changeme" #procedure="INSERT_CT" #[pgsql1] #db="nulog" #host="localhost" #user="nupik" #table="ulog" #pass="changeme" #procedure="INSERT_PACKET_FULL" #[pgsql2] #db="nulog" #host="localhost" #user="nupik" #table="ulog2_ct" #pass="changeme" #procedure="INSERT_CT" #[pgsql3] #db="nulog" #host="localhost" #user="nupik" #table="ulog2_ct" #pass="changeme" #procedure="INSERT_OR_REPLACE_CT" #[dbi1] #db="ulog2" #dbtype="pgsql" #host="localhost" #user="ulog2" #table="ulog" #pass="ulog2" #procedure="INSERT_PACKET_FULL" #[sys2] #facility=LOG_LOCAL2 #[nacct1] #sync = 1 #[mark1] #mark = 1
Spuštění
Spuštění jako daemon:
ulogd -d
Pokud něco nefunguje, chybu hledat ve /var/log/ulogd.