Ulogd-User Space Log Daemon
Quote a passage from the author:
Halad Wei Erte laforge@gnumonks.org
Link multicast facility
-return NF_CONTINUE immediately.
In ipt_ULOG 0.8, we can accumulate data packets in user space and send them.
Send them to user space in small batches (1-50). This reduces
Expensive context switching.
More than one logging daemon can listen to netlink multicast addresses.
When we use iptables with LOG, we always feel a little confused, because there is everything in it, but we only need a part of it, and it takes a lot of brains and effective organization to extract useful records from many logs. If we can keep all these records in the database, it will be easy. So I checked the iptables document and found the tool ULOG. The following is my experience during installation and use.
ULOG can record the information of matching packets in user space, and these information and the whole packet will be multicast through netlink socket. Then, one or more user space processes will accept them. In other words, ULOG is the most mature and perfect logging tool under iptables and Netfilter, which contains many better tools for recording packages. This goal can be that we record information into MySQL or other databases. In this way, you can easily search for a specific package or group record.
ULOG directly writes records into mysql and other databases through iptables, which has better performance.
First, conditions: if the kernel version >; =2.4. 18-pre8, then the kernel already supports ULOG, and it will usually be in/lib/modules/kernelversion/kernel/net/ipv4/netfilter/
Ipt_ULOG.o will be available, which means you don't need to recompile the kernel. If you don't have it, you should recompile the kernel. The kernel version is higher than 2.4. 18-pre8.
Select ULOG in the kernel option and recompile the directory /kernel/net/ipv4/netfilter.
2.4 the kernel uses makemodules subdirs = net/IPv4/netfilter,
2.6 use make. /net/ipv4/netfilter。 If you are not sure, please use make-help in the directory where the kernel is stored, and check the related instructions.
Just compile the corresponding module, without recompiling the kernel once, saving time and effort.
Secondly, the ulogd source code can be found here in filter.org/pub/ulogd/,, and the Srpm package can also be found here in filter.org/pub/ulogd/..
Then:
tar-zxvf ulogd- 1.23 . tar . bz2
cd ulogd- 1.23
. /configure - help
If you want it to support Mysql, or pgsql, sqlite3, etc. , you can add optional parameters -with-MySQL = path or -with-PGSQL = path, which requires mysql-devel and pgsql-devel packages.
Use rpm -ql mysql-devel to see what path it is, and then add it after it. For example, my system is /usr/include, which is: -with-MySQL =/usr/include.
. /configure-with-MySQL =/usr/include
If there is a mistake, look at the error message and install some missing ones. It should be no problem.
manufacture
Carry out installation
The default installation path is /usr/local/
At this point, the installation process is over, and the next step is to use its functions concretely;
Third, 1. Create mysql database, which will be used later:
The following is the mysql database operation, in order to make the brothers who don't understand mysql understand, add comments;
#mysql -u root
Mysql & gt creates database ulogd
# Create a database ulogd for storing ulogd
Mysql & gt grants create, select and insert on ulogd. * sent to ulog_user@localhost identified by "ulog_passwd".
# The above three permissions are given to user ulog_user, namely create, select and insert insert of ulogd database, and ulog_user can only log in from this computer with password ulog_passwd.
Mysql & gt give up
Then we input the built-in table of ulogd into mysql. This table is a standard sql file in the /doc directory, which is used to create the built-in ulogd table:
cd ulogd- 1.23/doc
# cat MySQL . table | MySQL-D ulogd-u ulogd _ user-p
Then enter the password ulog_passwd, so if there is nothing wrong, it will be built. If there is an error, check the error information and find out the reason;
Verify that the table was successful:
#mysql -u root
Mysql & gt uses ulogd
Mysql & gt display table;
Check the output to see if it is stored in a table named ulog. If so, it's a success.
4. Next, modify the configuration file of ulogd:
If you choose to support mysql and other parameters, you must modify the configuration file of ulog before using the corresponding function.
vi /etc/ulogd.conf
Modify the following paragraphs to the parameters you specified in. /configure。 I choose to support mysql, as follows:
# Output plug-in.
plugin = " @ libdir @/ulogd _ loge mu . so "
# plugin = " @ libdir @/ul ogd _ oprint . so "
# plugin = " @ libdir @/ulogd _ MySQL . so "
# plugin = " @ libdir @/ul ogd _ pgsql . so "
# plugin = " @ libdir @/ul ogd _ sqlite3 . so "
# plugin = " @ libdir @/ulogd _ pcap . so "
Revised as:
# Output plug-in.
# plugin = "@ libdir @/ulogd _ logemu.so" # Comment out this line.
# plugin = " @ libdir @/ul ogd _ oprint . so "
Plugin = "@ libdir @/ulogd _ mysql.so" # Enable MySQL as an output plug-in.
# plugin = " @ libdir @/ul ogd _ pgsql . so "
# plugin = " @ libdir @/ul ogd _ sqlite3 . so "
# plugin = " @ libdir @/ulogd _ pcap . so "
Also modify some mysql parameters: table name, password, user name, database name, login host;
[MYSQL]
table="ulog "
pass="changeme "
user="laforge "
db="ulogd "
host="localhost "
Modify to be consistent with the parameters set above:
[MYSQL]
table="ulog "
pass="ulog_passwd "
user="ulog_user "
db="ulogd "
host="localhost "
If you like some other parameters, please modify them accordingly:
Well, at this point, ulogd has taken care of everything.
Fifth, the next step is to apply it to the function:
First enable the ulogd process:
ulogd -d
You can also copy ulogd.init in the ulogd- 1.23 directory to /etc/init.d/ulogd, and modify the path of ulogd appropriately, chkconfig-level 235 ulogdon.
Service ulogd start has been started.
Then add the corresponding logarithm in iptables;
* * * There are four parameters available:
1.- ulog-nlgroup
iptables-A INPUT-p TCP-dport 22-j ULOG-ULOG-nl group 2
Specify which network link group to send the packet to, such as -ulog-nlgroup2. A * * * has 32 netlink groups, and the simple number is 1-32. The default value is 1.
2.- ulog prefix
Iptables-ainput-ptcp-dport22-julog-ulog prefix "SSH connection attempt:"
Specify the prefix of recorded information to distinguish different information. The usage method is the same as the prefix of LOG, but the length can reach 32 characters.
3.- ulog-cprange
Iptables -A input-ptcp-dport22-julog-ulog-cprange100
Specify the number of bytes for each packet to be sent to "agent of ULOG in user space", such as-ulog-cprange 100+000.
It means that the first 100 bytes of the whole packet are copied to the user space and recorded, including the packet header and some packet boot data. The default value is 0, which means copying the whole package, no matter how big it is.
4.- ulog-qthreshold
Iptables -A input-ptcp-dport22-julog-ulog-qthreshold10
Before sending data to user space for recording, tell ULOG the number of packets to be collected in the kernel, such as-ulog-qthreshold 10+00.
This means that 10 packets are accumulated in the kernel before being sent to user space. They will be regarded as information linked to the same network, but they are only composed of several parts.
The default value is 1, which is for backward compatibility, because previous versions cannot handle segmentation information.
When you use ULOG where you need to log in, if there is a package match, there will be a corresponding record in your mysql database ulogd, here.
I have to say one thing about this. When I read the records, I found that the registered ip address is an unsigned integer, which means you have to convert it yourself.
Convert to 16 radix first, and then convert to 10 radix every two digits. It's not intuitive at all I don't know if it can be modified, capable brother.
Modify it yourself, hehe, you can view the recorded data by logging into mysql database, and now there are many mysql front-end tools.
It will be more convenient to use these tools together, such as phpMyAdmin, which is not here.
Q:
I think it was posted. . . . .