-Register a target called ULOGIptables
-If the target is hit:
-Send the packet out using netlink multicast facility
-Return NF_CONTINUE immediately
New with ipt_ULOG 0.8 we can accumulate packets in userspace andsend
Them in small batches (1-50) to userspace. This operation CES the amountof
Expensive context switches.
More than one logging daemon may listen to the netlink multicastaddress.
When we use iptables in combination with LOG, we always feel a little messy, because there are everything in it, but we only need a part of it and retrieve useful records from many logs, it also takes some time to effectively organize these records. if you can store these records into the database, you can do it. so you can view the iptables document and find the ULOG tool, the following is my experience in the installation and use process. I hope to provide some convenience for those who need it!
ULOG can record the information of the matched package in the user space. both the information and the entire package are multicast through netlinksocket. Then, one or more user space processes will accept them. In other words, ULOG is the most mature and complete log tool in iptables and Netfilter so far. it contains many better tools for packet recording. This target can be used to record information to MySQL or other databases. In this way, it is convenient to search for a specific package or group the records.
ULOG writes records directly by iptablesMysqlAnd other databases for better performance.
I. condition: if the kernel version is greater than or equal to 2.4.18-pre8, the kernel supports ULOG. Generally, the kernel version in/lib/modules/kernel/net/ipv4/netfilter/
There will be ipt_ULOG.o, which means you don't need to re-compile the kernel. if you don't have it, you have to re-compile the kernel. the kernel version is later than 2.4.18-pre8.
In the kernel option, select ULOG and re-compile the/kernel/net/ipv4/netfilter directory.
2.4 kernel use make modules SUBDIRS = net/ipv4/netfilter,
2.6 Use make./net/ipv4/netfilter. if you are not clear about it, use make -- help in the directory where your kernel is stored.
Only compile the corresponding module. there is no need to re-compile the kernel once, saving time and effort.
II. ulogd source code can be found here/
Then:
Tar-zxvf ulogd-1.23.tar.bz2
Cd ulogd-1.23
./Configure -- help
If you want it to support Mysql, pgsql, sqlite3, etc., you can select the parameter -- with-mysql = path or -- with-pgsql = path, this requires mysql-devel and pgsql-devel packages,
Run rpm-qlmysql-devel to check the path and add it to the backend. for example, if my system is/usr/include, the path is -- with-mysql =/usr/include.
./Configure -- with-mysql =/usr/include
If there is an error, check the error information and pack the missing package.
Make
Make install
The default installation path is/usr/local/
Now that the installation process is complete, the next step is to use its functions;
III. 1. create a mysql database, which will be used later:
The following are mysql database operations. in order not to be understood by mysql brothers, a comment is added;
# Mysql-u root
Mysql> create database ulogd;
# Create a database ulogd for storing ulogd
Mysql> grant create, select, insert on ulogd. * toulog_user @ localhost identified by 'ulog _ passwd'
# The create, select, and insert permissions of the ulogd database are granted to the user ulog_user, and the ulog_user can only log on from the local machine with the password ulog_passwd.
Mysql> quit
Then we need to input the ulogd built-in table to mysql, which is a standard SQL file under the/doc directory for creating the ulogd built-in ulog table:
Cd ulogd-1.23/doc
# Cat mysql. table | mysql-D ulogd-u ulogd_user-p
Then enter the password ulog_passwd. If no error occurs, create the password. if any, view the error information and find out the cause;
Verify whether the table is successful:
# Mysql-u root
Mysql> use ulogd;
Mysql> show tables;
Check the output result to see if a table named ulog exists. If yes, it will succeed.
4. Next, modify the ulogd configuration file:
If you select to support mysql and other parameters, you must modify the ulog configuration file before using the corresponding function,
Vi/etc/ulogd. conf
Modify the following section to the parameter specified in./configure. I chose to support mysql, as shown below:
# Output plugins.
Plugin = "@ libdir @/ulogd_LOGEMU.so"
# Plugin = "@ libdir @/ulogd_OPRINT.so"
# Plugin = "@ libdir @/ulogd_MYSQL.so"
# Plugin = "@ libdir @/ulogd_PGSQL.so"
# Plugin = "@ libdir @/ulogd_SQLITE3.so"
# Plugin = "@ libdir @/ulogd_PCAP.so"
To:
# Output plugins.
# Plugin = "@ libdir @/ulogd_LOGEMU.so" # Comment out this line
# Plugin = "@ libdir @/ulogd_OPRINT.so"
Plugin = "@ libdir @/ulogd_MYSQL.so" # enable mysql as the output plug-in
# Plugin = "@ libdir @/ulogd_PGSQL.so"
# Plugin = "@ libdir @/ulogd_SQLITE3.so"
# Plugin = "@ libdir @/ulogd_PCAP.so"
You also need to modify mysql parameters: table name, password, user name, database name, and host login;
[MYSQL]
Table = "ulog"
Pass = "changeme"
User = "laforge"
Db = "ulogd"
Host = "localhost"
The modification is consistent with the preceding parameters:
[MYSQL]
Table = "ulog"
Pass = "ulog_passwd"
User = "ulog_user"
Db = "ulogd"
Host = "localhost"
If you like some other parameters, modify them accordingly:
All right, now ulogd is done,
5. the specific functions are as follows:
First, enable the ulogd process:
Ulogd-d
You can also copy ulogd. init under the ulogd-1.23 directory to/etc/init. d/ulogd, and modify the ulogd path as appropriate. chkconfig -- level 235 ulogd on,
Service ulogd start starts.
Add the corresponding logarithm to iptables;
There are four parameters available:
1. -- ulog-nlgroup
Iptables-a input-p TCP -- dport 22-j ULOG -- ulog-nlgroup 2
Specifies the netlink group to which the package is sent, such as -- ulog-nlgroup2. A total of 32 netlink groups are numbered 1-32. The default value is 1.
2. -- ulog-prefix
Iptables-a input-p TCP -- dport 22-j ULOG -- ulog-prefix "SSHconnection attempt :"
Specify the prefix of record information to distinguish different information. The usage is the same as the LOG prefix, but the length can be up to 32 characters.
3. -- ulog-cprange
Iptables-a input-p TCP -- dport 22-j ULOG -- ulog-cprange 100
Specify the number of bytes that each package sends to the "ULOG proxy in the user space", for example, ulog-cprange 100,
It indicates that the first 100 bytes of the entire package are copied to the user space for record, which contains the packet header and some packet boot data. The default value is 0, indicating to copy the entire package regardless of its size.
4. -- ulog-qthreshold
Iptables-a input-p TCP -- dport 22-j ULOG -- ulog-qthreshold10
Indicates the number of packages to be collected in the kernel before ULOG sends data to the user space for record, for example, ulog-qthreshold 10.
This indicates that 10 packets are first accumulated in the kernel and then sent to the user space. they are considered as the information of the same netlink, which is composed of several parts.
The default value is 1, which is backward compatible because the previous version cannot process segment information.
When you use ULOG where logs need to be recorded, if there is a packet matching, there will be a corresponding record in your mysql database ulogd.
I have to say a word about its defects. when I check the records, I find that the registered IP address is an unsigned integer, that is, you have to convert it yourself,
First, convert it to hexadecimal, and then convert every two digits to Hexadecimal. it is not intuitive at all. I don't know if I can modify it. a powerful brother.
Modify the data by yourself. you can log on to the mysql database to view the recorded data, and now there are many mysql front-end tools,
Using these tools together makes it easier to view, such as phpMyAdmin. this part of content is not discussed here. the Forum has a lot of relevant information,
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
