<!doctype linuxdoc system>
<!-- $Id$ -->
<title>ULOGD - the Userspace Logging Daemon</title>
<author>Harald Welte <email@example.com></author>
<date>Revision $Revision$, $Date$</date>
This is the documentation for <tt>ulogd</tt>, the Userspace logging daemon.
ulogd makes use of the Linux 2.4 firewalling subsystem (netfilter) and the
ULOG target for netfilter.
I want to provide a flexible, almost universal logging daemon for my netfilter
ULOG target. It is not optimized in any way, the goal is to keep as simple as
possible. These are my thoughts about how the architecture which is most
capable of doing that:
It should be possible to add plugins / runtime modules for new protocols, etc.
For example the standard logging daemon provides source-ip, dest-ip,
source-port, dest-port, etc. Logging for variuos other protocols (GRE,
IPsec, ...) may be implemented as modules.
... describe how and where to put the information gained by logging plugins.
The easiest way is to build a line per packet and fprint it to a file.
Some people might want to log into a SQL database or want an output
conforming to the intrusion detection systems communication draft from the
The major clue is providing a framework which is as flexible as possible.
Nobody knows what strange network protocols are out there :) Flexibility
depends on the communication between the output of the logging plugins
and input of the output plugins.
Rusty advised me to use some kind of type-key-value triples, but I think
this is the total overkill and is too complicated for me to implement it
in a reasonable short period of time. (3 hours later) Hmm... Rusty finally
convinced me to use linked lists of type-key-value triples - and it wasn't
Another issue is, of course, performance. Up to ulogd 0.3, ulogd did several
linked list iterations and about 30 malloc() calls _per packet_. This
changed with the new 0.9 revision:
<item>Not a single dynamic allocation in the core during runtime.
Everything is pre-allocated at start of ulogd to provide the highest
<item>Hash tables in addition to the linked lists. Linked lists are only
traversed if we really want to access each element of the list.
First you will need a recent 2.4.x kernel. At the time this document was
written, 2.4.0-test11-pre5 was the latest development version. Ulogd should
work with all kernels >= 2.4.0-test4.
<sect1>netfilter / iptables
In addition you need the latest iptables package, or even better: the latest
CVS snapshot. A description how to obtain this is provided on the netfilter
homepage <URL URL="http://netfilter.kernelnotes.org">.
ulogd is based on a special netfilter extension, called the netfilter ULOG
target module. You have to patch this extension into your kernel, as it
has not been integrated into the main kernel yet. To make this as easy
as possible, netfilter provides the 'patch-o-matic' subsystem.
To run patch-o-matic, just type
in the userspace directory of netfilter CVS.
<sect2>Recompiling the source
Download the ulogd package from <URL URL="http://www.gnumonks.org/ftp/pub/netfilter"> and
Run './configure' and 'make install'.
Copy the configuration file 'ulogd.conf' to /etc
<sect2>Using a precompiled package
I also provide redhat-6.2 and redhat-7.0 RPM's, available at <URL URL="http://www.gnumonks.org/ftp/pub/rpms/redhat-7.0/RPMS/i386"> and <URL URL="http://www.gnumonks.org/ftp/pub/rpms/redhat-6.2/RPMS/i386">.
Just download the package and do the usual 'rpm -i <file>'.
Just add rules using the ULOG target to your firewalling chain. A very basic
iptables -A FORWARD -j ULOG --ulog-nlgroup 32 --prefix foo
Of course you can combine the ULOG target with the different netfilter match modules.
For a more detailed description, have a look at the netfilter HOWTO's, available on
the netfilter homepage.
All configurable parameters of ulogd are in the configfile '/etc/ulogd.conf'
The following configuration parameters are available:
The netlink multicast group, which ulgogd should bind to. This is the same as given with the '--ulog-nlgroup' option to iptables.
The main logfile, where ulogd reports any errors, warnings and other unexpected
This specifies, how verbose the logging to logfile is. Currently defined loglevels are: 1=debug information, 3=informational messages, 5=noticable exceptional conditions, 7=error conditions, 8=fatal errors, program abort.
This option is followed by a filename of a ulogd plugin, which ulogd shold load upon initialization. This option may appear more than once.
ulogd comes with the following plugins:
Basic interpreter plugin for nfmark, timestamp, mac address, ip header, tcp header, udp header, icmp header, ah/esp header.
Example interpreter plugin to log plaintext passwords as used with FTP and POP3. Don't blame me for writing this plugin! The protocols are inherently insecure, and there are a lot of other tools for sniffing passwords... it's just an example.
A very simple output module, dumping all packets in the format
to a file.
<p>The module defines the following configuration directives:
The filename where it should log to. The default is <tt>/var/log/ulogd.pktlog</tt>
An output module which tries to emulate the old syslog-based LOG targed as far as possible. Logging is done to a textfile instead of syslog, though.
The module defines the following configuration directives:
<tag>syslogfile</tag>The filename where it should log to. The default is <tt>/var/log/ulogd.syslogemu</tt>
An output plugin for logging into a mysql database. This is only compiled if you have the mysql libraries installed, and the configure script was able to detect them. (FIXME: how to do this)
The plugin automagically inserts the data into the configured table; It connects to mysql during the startup phase of ulogd and obtains a list of the columns in the table. Then it tries to resolve the column names against keys of interpreter plugins. This way you can easly select which information you want to log - just by the layout of the table.
If, for example, your table contains a field called 'ip_saddr', ulogd will resolve this against the key 'ip.saddr' and put the ip address as 32bit unsigned integer into the table.
You may want to have a look at the file '<tt>doc/mysql.table</tt>' as an example table including fields to log all keys from ulogd_BASE.so. Just delete the fields you are not interested in, and create the table.
The module defines the following configuration directives:
Name of the table to which ulogd should log
Name of the mysql database
Name of the mysql database host
Name of the mysql user
Password for mysql
<sect> QUESTIONS / COMMENTS
All comments / questions / ... are appreciated.
Just drop me a note to firstname.lastname@example.org