Other articles

  1. ulogd2: the new userspace logging daemon for netfilter/iptables (part 2)

    This article explains how to build, install and configure ulogd 2 for use with netfilter/iptables. It explains how to use plugins to store logs in databases (MySQL and PostgreSQL), use plugins to filter data, and gives some iptables rules to log packets.

    Get the sources

    You can use the official repository:

    git clone git://git.netfilter.org/ulogd2.git/
    

    Prerequisites

    Build

    Use the standard autotools method for configure, build and install:

    ./autogen.sh
    ./configure --prefix=/path/to/prefix
    make
    sudo make install
    

    Configuration

    Edit ulogd.conf

    1. enable plugins

    You will have to choose the input and output plugins according to your setup. NFLOG is present in recent kernels (and iptables installation), and should be preferred if possible.

    • Input plugin: ULOG or NFLOG
    • Output: MySQL or PostgreSQL

    You have to enable the corresponding in the configuration before you can use them:

    plugin="/path/to/prefix/lib/ulogd/ulogd_inppkt_ULOG.so"
    plugin="/path/to/prefix/lib/ulogd/ulogd_output_MYSQL.so"
    

    See “Stack configuration” later.

    2. buid the stack

    For MySQL, we will use a very simple plugin stack. As MySQL is quite inefficient in storing IP addresses (and …

    read more
  2. ulogd2: the new userspace logging daemon for netfilter/iptables (part 1)

    Ulogd (and also ulogd2) is a powerful and flexible logging system for Netfilter/Iptables, based on a plugin system. It allows, for example, to log packets in a SQL database, and have some interface to analyze it (see Nulog2)

    nulog

    Architecture

    Ulogd2 combines plugins to create a stack, where each plugin is chained to another. There are three types of plugins:

    • Source
    • Filter
    • Output

    A stack must have only one source, and one output (yet it can have several filters). It is possible to define several stacks in the configuration.

    Each plugin has a type (for ex, PGSQL), and must be instanciated (using a name chosen by the user). Each instance is a particular version of the plugin, defining parameters. This way, we will be able to output data in several formats using different stacks.

    For ex, the following stack :

    stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,print1:PRINTPKT,pgsql1:PGSQL
    

    defines a stack with the following properties:

    • input plugin is NFLOG, this means we’ll use the -j NFLOG target of iptables as source
    • filters are BASE, IFINDEX, and PRINTPKT (we’ll cover what they do later)
    • output plugin is of type PGSQL, so data will be logged to a …
    read more

Page 1 / 1