Ulogd2.0 Installation

Reference: http://www.wzdftpd.net/blog/index.php? Post/2008/04/05/19 -ulogd2-the-new-userspace-logging-daemon-for-netfilter-iptables-part-2

Ulogd2.0.1: http://www.netfilter.org/projects/ulogd/downloads.html

The software package to be installed before ulogd2.0.1 is installed is as follows:

• Libnfnetlink that provides basic communication infrastructure via Netlink.
• Libmnl that provides basic communication infrastructure via Netlink, this library will supersede libnfnetlink.
  Still, we require both libraries as we are still in transition to entirely replace libnfnetlink by libmnl.
• Libnetfilter_log for stateless packet-based logging via nfnetlink_queue.
• Libnetfilter_conntrack for stateful flow-based via nf_conntrack_netlink.
• Libnetfilter_acct for flexible traffic accounting via nfnetlink_acct and iptables nfacct match (it requires
  Linux kernel> = 3.3.x ).

This requires a Linux kernel> = 2.6.14, but Linux kernel> = 2.6.18 is stronugly recommended. Note that if you need SQL database output suport, you will need the header files of the respective
Libraries.

We recommend that you install the above installation package in the/usr/local/lib directory.

If you want to record the logs generated by ulogd to MySQL DATA, you should first install the MySQL database

Install MySQL database see: http://blog.csdn.net/dlutxie/article/details/8243359

Http://blog.csdn.net/dlutxie/article/details/8218078

The command to install ulogd2.0 is as follows:

Tar xvf ulogd-2.0.1.tar.gz

CD ulogd-2.0.1

. /Configure -- prefix =/usr/local/ulogd -- With-mysql =/usr/local/MySQL # To add debugging options, add cflags = "-g-ddebug" to the end"

That is:./configure -- prefix =/usr/local/ulogd -- With-mysql =/usr/local/MySQL cflags = "-g-ddebug"

Make

Make install

Add/usr/local/ulogd/sbin to the/etc/lD. So. conf file.

Modify the configuration file as follows:

Profile: http://download.csdn.net/detail/dlutxie/5099951

# Logfile for status messages
Logfile = "/var/log/ulogd. log"

# This is a stack for logging packet to MySQL. Note that log1 can only be used, and log2 cannot be used to record data to the database !!!
Stack = log1: nflog, base1: Base, ifi1: ifindex, ip2bin1: ip2bin, mac2str1: hwhdr, ipd2str1: ip2str, printpkt1: printpkt, mysql1: MySQL
# Stack = log2: ulog, base1: Base, ip2bin1: ip2bin, mysql1: MySQL

# Logging of system packet through nflog
[Log1]
# Netlink multicast group (the same as the iptables -- nflog-group PARAM)
# Group O is used by the kernel to log connection tracking Invalid Message
Group = 0
# Netlink_socket_buffer_size = 217088
# Net link_socket_buffer_maxsize = 1085440
# Set number of packet to queue inside kernel
# Netlink_qthreshold = 1
# Set the delay before flushing packet in the queue inside kernel (in 10 ms)
# Netlink_qtimeout = 100

# Packet logging through nflog for Group 1
[Log2]
# Netlink multicast group (the same as the iptables -- nflog-group PARAM)
Group = 1 # group has to be different from the one use in log1
Netlink_socket_buffer_size = 217088
Net link_socket_buffer_maxsize = 1085440
# If your kernel is older than 2.6.29 and if a nflog input plugin
# Group 0 is not used by any stack, you need to have at least one nflog
# Input plugin with bind set to 1. If you don't do that you may not
# Receive any message from the kernel.
Bind = 1

# Packet logging through nflog for group 2, numeric_label is
# Set to 1
[Log3]
# Netlink multicast group (the same as the iptables -- nflog-group PARAM)
Group = 2 # group has to be different from the one use in log1/log2
Numeric_label = 1 # You can label the log info based on the packet verdict
# Netlink_socket_buffer_size = 217088
# Net link_socket_buffer_maxsize = 1085440
# Bind = 1

[Mysql1]
DB = "ulogd"
Host = "localhost"
User = "root"
Table = "ulog" # note that this field can only be ulog (the new database table ulog is only a view), rather than ulog2
Pass = "root"
Procedure = "insert_packet_full"
Charset = "utf8" # This is added after I modified the ulogd_output_mysql.c source file to solve Chinese garbled characters.

[Mysql2]
DB = "ulogd"
Host = "localhost"
User = "ulogd"
Table = "ulog2_ct"
Pass = "ulogd"
Procedure = "insert_ct"
Charset = "utf8"

Create the ulogd log directory: mkdir-PV/var/log/ulogd

Ulogd_output_mysql.c: modified source file: http://download.csdn.net/detail/dlutxie/5099927

Modified mysql-ulogd2. SQL file: http://download.csdn.net/detail/dlutxie/5099937

Create a database table:

1. Create a database. The character set is specified when the database is created, or Chinese characters may contain garbled characters.

Echo "create database ulogd Character Set utf8;" | mysql-u root-proot

2. Create a database table. The default character set used for table creation here is Latin1. If Chinese characters are garbled, change it to utf8 or GBK.
/Usr/local/MySQL/bin/MySQL-u root-proot-D ulogd <./doc/mysql-ulogd2. SQL

3. Add users and permissions

Echo "Grant create, insert, select, delete, update on ulogd. * To ulogd @ localhost identified by 'ulogd' "|/usr/local/MySQL/bin/MySQL-u root-proot

Possible problems in ulogd encoding:

Ulogd_output_mysql.c: 47: 25: Error: MySQL/MySQL. h: no such file or directory

Make [3]: *** [ulogd_output_mysql.lo] Error 1

Set the # include in the ulogd-2.0.1/output/MySQL/ulogd_output_mysql.c file <MySQL/MySQL. h> change to: # include </usr/local/MySQL/include/MySQL. h>, MySQL is installed in the/usr/local/MySQL directory.

Ulogd_output_pcap.c: 32: 18: Error: pcap. h: no such file or directory

Download a pcap installation package.

Mon Dec 3 21:15:44 2012 <7> ulogd. C: 727 cannot find key 'label' in stack
Mondec 3 21:15:44 2012 <1> ulogd. C: 873 destroying Stack
Mon Dec 3 21:15:44 2012 <8> ulogd. C: 1189 not even a single working plugin Stack

This problem occurs because the table in the MySQL section in the configuration file is set to ulog2.

You can view the key value information of each ulogd2.0 plug-in by using the ulogd-I plug-in name.

For example, ulogd-I ulogd/sbin/ulogd-I/usr/local/ulogd/lib/ulogd/ulogd_inppkt_nflog.so
Name: nflog
Config options:
VaR: bufsize (integer, default: 150000)
VaR: group (integer, default: 0)
VaR: unbind (integer, default: 1)
VaR: BIND (integer, default: 0)
VaR: seq_local (integer, default: 0)
VaR: seq_global (integer, default: 0)
VaR: numeric_label (integer, default: 0) # raw_label
VaR: netlink_socket_buffer_size (integer, default: 0)
VaR: netlink_socket_buffer_maxsize (integer, default: 0)
VaR: netlink_qthreshold (integer, default: 0)
VaR: netlink_qtimeout (integer, default: 0)
Input keys:
Input plugin, no keys
Output keys:
Key: raw. Mac (raw data) # nfula_hwheader
Key: raw. Pkt (raw data) # nflog_key_raw_pckt opaque data payload
Key: raw. pktlen (unsigned int 32)
Key: raw. pktcount (unsigned int 32) # constant is 1
Key: OOB. prefix (string) # nfula_prefix is specified by -- nflog-Prefix
Key: OOB. Time. Sec (unsigned int 32) # number of seconds from nfula_timestamp seconds 1970-1-1 to the current time
Key: OOB. Time. USEC (unsigned int 32) # nfula_timestamp micoseconds
Key: OOB. Mark (unsigned int 32) # Generic Packet mark nfula_mark
Key: OOB. ifindex_in (unsigned int 32) # bridge the input port nfula_ifindex_indev
Key: OOB. ifindex_out (unsigned int 32) # bridge the output port nfula_ifindex_outdev
Key: OOB. Hook (unsigned Int 8) # nfula_packet_hdr nflog_key_oob_hook
Key: raw. mac_len (unsigned int 16) # nfula_hwlen
Key: OOB. seq. Local (unsigned int 32) # instance-local sequence number
Key: OOB. seq. Global (unsigned int 32) # global sequence number
Key: OOB. Family (unsigned Int 8) # protocol cluster. for IPv4, It is pf_inet socket. h.
Key: OOB. Protocol (unsigned int 16) # nfula_packet_hdr nflog_key_oob_protocol
Key: OOB. UID (unsigned int 32) # uid for VFS ops user ID of socket nfula_uid
Key: OOB. GID (unsigned int 32) # gid for VFS Ops group ID of socket nfula_gid
Key: raw. Label (unsigned Int 8) # This is set by the configuration file numeric_label.
Key: raw. Type (unsigned int 16) # interface hardware type 1 is Ethernet, defined in include/Linux/if_arp.h
Key: raw. Mac. saddr (raw data)
Key: raw. Mac. addrlen (unsigned int 16)
Key: raw (raw data) # nflog_key_raw RAW Raw Data nflog_data * ldata Array

Reference raw. Type:

Http://www.iana.org/assignments/arp-parameters/arp-parameters.xml

Http://iana.org/protocols

Http://www.nirtec.com/hardware/hardware.htm

Interfaces types

Http://blog.csdn.net/lamdoc/article/details/7873120

Sk_buff definition and operations

The hooknum member is used to specify the specific hook type corresponding to the installed function:
NF_IP_PRE_ROUTING 0
Nf_ip_local_in 1 after the selected path is determined, and the data packet is for the local host
Nf_ip_forward 2 the destination is a data packet from another host.
Nf_ip_local_out 3 packets from local processes are sent when they exit the local host.
Nf_ip_post_routing 4 before the data packet is "online" when it leaves the local host