Ulogd (and also ulogd2) is a powerful and flexible logging system for Netfilter/Iptables, based on a plugin system. It allows, for example, to log packets in a SQL database, and have some interface to analyze it (see Nulog2)

nulog

Architecture

Ulogd2 combines plugins to create a stack, where each plugin is chained to another. There are three types of plugins:

  • Source
  • Filter
  • Output

A stack must have only one source, and one output (yet it can have several filters). It is possible to define several stacks in the configuration.

Each plugin has a type (for ex, PGSQL), and must be instanciated (using a name chosen by the user). Each instance is a particular version of the plugin, defining parameters. This way, we will be able to output data in several formats using different stacks.

For ex, the following stack :

stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,print1:PRINTPKT,pgsql1:PGSQL

defines a stack with the following properties:

  • input plugin is NFLOG, this means we’ll use the -j NFLOG target of iptables as source
  • filters are BASE, IFINDEX, and PRINTPKT (we’ll cover what they do later)
  • output plugin is of type PGSQL, so data will be logged to a PostgreSQL database.

What’s new in ulogd2 ?

Ulogd2 brings a new SQL schema (see Linux Weekly News) where data are split in several tables (instead of one monolithic table as for ulogd), allowing to add additional data easily without modifying the schema (just add a new table and use the packet id as foreign key).

To hide the complexity of the new SQL schema (to select all data for a packet, one now has to use a JOIN in the request. The insertion must be done in several tables instead of one), a system of views (for select) and stored procedures (for insertions) has been written, so that ulogd2 does not have to know the SQL schema : if the schema is changed, only the procedures must be changed, and not ulogd2.

Next time

What ? That’s all ? Yes ! That was a (short) introduction to what ulogd is. Next time, we’ll cover the installation and the use of ulogd2.