summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Add missing enableval to configureulogd-2.0.5Eric Leblond2015-04-241-3/+14
| | | | Without that --disable-FEATURE is not working correctly.
* Add flag to disable ULOG input pluginEric Leblond2015-04-242-1/+14
| | | | | ULOG target is removed from kernel so we can prepare the removal of the plugin for ulogd. For now, we just add a configure flag.
* Set release number to 2.0.5.Eric Leblond2015-04-031-1/+1
|
* include: keep a copy of linux/netfilter_ipv4/ipt_ULOG.hPablo Neira Ayuso2014-11-144-3/+53
| | | | | | | | | | This fixes compilation if you use a Linux kernel >= 3.17. This problem occurs since ULOG was removed from mainstream: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7200135bc1e61f1437dc326ae2ef2f310c50b4eb Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=986 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Fix JSON output on big endian systemsJimmy Jones2014-08-111-0/+11
| | | | Signed-off-by: Jimmy Jones <jimmyjones2@gmx.co.uk>
* gitignore: add manpageEric Leblond2014-07-011-0/+1
| | | | Signed-off-by: Eric Leblond <eric@regit.org>
* gitignore: ignore generated documentationVincent Bernat2014-07-011-0/+3
| | | | Signed-off-by: Vincent Bernat <Vincent.Bernat@exoscale.ch>
* Set release number to 2.0.4.ulogd-2.0.4Eric Leblond2014-03-071-1/+1
| | | | Signed-off-by: Eric Leblond <eric@regit.org>
* ulogd: fix loglevel handlingKen-ichirou MATSUZAWA2014-03-071-1/+2
| | | | | | It was always default if not specified by command parameter. Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
* printpkt: oob.time.sec was not usedEric Leblond2014-03-072-2/+0
| | | | | | | This patch supresses the oob.time.sec from the input keys as this is not used when creating the string corresponding to the packet. Signed-off-by: Eric Leblond <eric@regit.org>
* json: use packet timestamp if availableEric Leblond2014-03-071-5/+43
| | | | | | | | | This patch updates the JSON output plugin to have it use the timestamp of the packet if available. The date format used for the timestamp is now using ISO 8601 to have an easy import in most software (tested with logstash and splunk). Signed-off-by: Eric Leblond <eric@regit.org>
* nfct: use start timestamp if providedEric Leblond2014-02-221-4/+14
| | | | | | | | When hash table is not used, the start timestamp was not used even if the kernel is sending it. This patch modifies the code to use it when available. This allows to log connection with start and end with a single message per connection and without the cost of maintaining the hash table.
* ulogd: add carriage return as separatorEric Leblond2014-02-221-3/+3
| | | | | | | If the file is in DOS mode, the string coming from config file parsing are containing the carriage return. The result is that string are not correct and the parsing of confuguration file is failling.
* ulogd: avoid potential double print of messageEric Leblond2014-02-041-2/+2
| | | | | In case there is no logfile, ulogd could possibly display each log message twice to stderr.
* json: introduce new JSON output pluginEric Leblond2014-01-284-0/+291
| | | | | | | | | | | | | | This patch introduces a new JSON output plugin. This patch displays CIM field name instead of ulogd key valu if this CIM field is available. The module does not display binary address but uses the string version of them. So a complete stack is for example: stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:HWHDR,json1:JSON If boolean_label is set to 1, then the numeric_label put on packet by the input plugin is coding the decision on packet. If 0, then packet has been blocked and if non null it has been accepted.
* store Common Information Model name in ulogd keyEric Leblond2014-01-283-2/+15
| | | | | | | | | | | | | | | | | | | This patch adds storage for CIM field name in ulogd key. This will be used by JSON output to interoperate with logging collector such as logstash or splunk. Common Information Model is an open standard that defines how managed elements in an IT environment are represented as a common set of objects and relationships between them: http://www.dmtf.org/standards/cim This seems to be mainly XML based but there is a JSON version of some aspects of the model. One of the main documentation on CIM in JSON format seems to be: http://docs.splunk.com/Documentation/PCI/2.0/DataSource/CommonInformationModelFieldReference Using the correct CIM field name allow events coming from ulogd to be correlated with events coming from other sources.
* db: don't loose one packet on reconnectEric Leblond2014-01-261-1/+2
| | | | | | This patch improves database reconnection handling in ring buffer mode. Ulogd now redo the failed query and do not loose anymore one packet.
* db: cancel injection thread when terminatingEric Leblond2014-01-251-0/+17
| | | | | | Injection thread was not cancelled when a termination signal was sent. This was causing a crash in some cases. This patch fixes this by canceling the thread when a SIGTERM or SIGINT signal is received.
* db: set ring default size to 0Eric Leblond2014-01-251-1/+1
| | | | | | | | | As default size was non null, the ring system was activated by default. It was only possible to desactivate the ring system by setting it to ring_buffer_size to 0 in the configuration. This was not the attended behavior. This patch set it to 0 to have only explicit activation of the ring feature.
* util: fix warning on format stringEric Leblond2014-01-251-20/+21
| | | | | | | pp_print macro was not correctly formatting u64. This patch renames it to pp_print_u as it is only used to print integer. It also use the PRIu* macros to have a correct format string for all integers type.
* nacct: fix format warningEric Leblond2014-01-252-2/+3
| | | | | | Some counter have been recently switch to u64. This has caused warnings relative to format string. This patch uses PRIu64 macro to fix these warnings.
* ulogd: use AC_SEARCH_LIBS for libpthreadGustavo Zacarias2013-12-112-3/+4
| | | | | | | | | Some uClibc-based toolchains lack threading support, so use AC_SEARCH_LIB instead of AC_CHECK_LIB to check for libpthread availability and link conditionally if found since it's only used for the database backends. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
* Set release number to 2.0.3.ulogd-2.0.3Eric Leblond2013-11-191-1/+1
| | | | Signed-off-by: Eric Leblond <eric@regit.org>
* ulogd: ulogd_inppkt_NFLOG: close nflog handle after unbindingChris Boot2013-11-181-1/+1
| | | | | | | | The nflog handle is closed, and then nflog_unbind_pf() is called on it, which triggers an assertion failure within libnfnetlink. This patch simply moves the nflog_close() just after the nflog_unbind_pf() calls. Signed-off-by: Chris Boot <bootc@bootc.net>
* nfct: make NFCT packet counter/length 64 bitUlrich Weber2013-10-103-28/+28
| | | | | | | | | | | | | | Kernel and libnetfilter_conntrack counters are 64bit, so use 64bit too in ulogd instead of 32bit. Worked fine on little endian systems but big endian systems had zero counter... Didn't test ipfix output, but RFC allows template with either 32 or 64 counters, so should be safe. Signed-off-by: Ulrich Weber <uw@xyne.com> Signed-off-by: Eric Leblond <eric@regit.org>
* ulogd: use daemon() functionEric Leblond2013-10-101-17/+13
| | | | | | | | This patches update the daemonization code. It is done earlier and it uses the daemon(à function which is used for daemonization by most projects. Signed-off-by: Eric Leblond <eric@regit.org>
* ulogd.conf: add missing quote.Eric Leblond2013-10-101-1/+1
| | | | | | | | Pcap file variable was not quoted. This was confusing as the correct file was not open if the user did uncomment the variable. Signed-off-by: Eric Leblond <eric@regit.org>
* pgsql: add var to specify arbitrary conn paramsEric Leblond2013-06-082-40/+53
| | | | | | | | | This patch adds a configuration variable for PostgreSQL output. Named connstring it stores the character string that will be used to connect to the PostgreSQL server. This allows the user to use all options available like TLS parameters for example. Signed-off-by: Eric Leblond <eric@regit.org>
* Improve pid file handling.Eric Leblond2013-05-211-12/+54
| | | | | | | | | | This patch improves latest patch by splitting in two part the pid file creation. This allows to display a message to stdout when ulogd can not be started. Another linked improvement is that the plugin initialization is not done if the pid file existence will result in a ulogd exit. Signed-off-by: Eric Leblond <eric@regit.org>
* ulogd: Implement PID file writingChris Boot2013-05-212-1/+149
| | | | | | | | The deamon currently does not have the ability to write a PID file to track its process ID. This is very useful to an init script and to ensure there is only one running instance. This patch implements this functionality. Signed-off-by: Chris Boot <bootc@bootc.net>
* ulogd: Perform nice() before giving up rootChris Boot2013-05-211-7/+7
| | | | | | | | The daemon code currently tries to nice(-1) just after having given up root privileges, which fails. This patch moves the nice(-1) call to just before the code that gives up the required privileges. Signed-off-by: Chris Boot <bootc@bootc.net>
* Exec libmnl config check only if nfacct is enabledVictor Julien2013-05-211-1/+1
| | | | | | In case nfacct is not enabled in ulogd2, libmnl is not used. So it shouldn't be a hard global dependency, but instead only a dependency in case nfacct is enabled.
* db: db ring has precedence over backlog.Eric Leblond2013-05-211-5/+7
|
* db: disable SIGHUP if ring buffer is used.Eric Leblond2013-05-211-3/+8
| | | | | | | The handling of signal when using threads can be complicated. When ring buffer is used for query, this means ulogd will have to follow some sort of mutex. Thus, it is easier and better performance wise to disable the reload via SIGHUP when the ring buffer is used.
* db: add ring buffer for DB queryEric Leblond2013-05-215-14/+178
| | | | | | | | | | | This patch adds an optional ring buffer option which modify the way database queries are made. The main thread is only handling kernel message reading and query formatting. The SQL request is made in a separate dedicated thread. The idea is to try to avoid buffer overrun by minimizing the time requested to treat kernel message. Doing synchronous SQL request, as it was made before was causing a delay which could cause some messages to be lost in case of burst from kernel side.
* db: use offset instead of direct pointer.Eric Leblond2013-05-212-8/+10
| | | | | Use an offset approach to get the start of values printing area. It is more generic and will be use soon.
* db: suppress field in db structureEric Leblond2013-05-212-19/+19
| | | | | The field is currently only used in a single function as a string pointer and can thus be removed from the db instance structure.
* db: store data in memory during database downtimeEric Leblond2013-05-213-33/+180
| | | | | | | This patch is adding a mechanism to store query in a backlog build in memory. This allow to store events during downtime in memory and realize the effective insertion when the database comes back. A memory cap is used to avoid any memory flooding.
* sqlite3: add sanity checkingEric Leblond2013-04-201-0/+2
| | | | Nullify sqlite3 handler at deinit.
* mysql: add sanity checkingEric Leblond2013-04-201-1/+3
| | | | Nullify mysql handler at deinit.
* postgresql: add sanity checkingEric Leblond2013-04-201-1/+3
| | | | Clean postgresql handler at deinit.
* Fix automagic support of dbi, pcap and sqlite3Ilya Tumaykin2013-04-201-10/+20
| | | | | | | | | | | | | | | | | | ulogd has automagic deps for several output plugins right now, namely dbi, pcap and sqlite3. These plugins are built if the appropriate libs are present on user's system. While this situation is fine with binary distros it is not OK on source-based ones such as Gentoo. The problem arises when such a program links against libs without user's request and libs are later removed from system which leaves program in a broken state. This patch is modifying configure.ac which we apply in our package and which fixes mentioned issue. It adds 3 new configure options: -- without-{dbi,pcap.sqlite}. I would like to emphasize that this patch doesn't change default behaviour of configure script at all, so all other distros won't suffer. We simply add options to explicitly disable any attempts to try and detect libs for automagic deps, which is enough to avoid unnecessary linkage.
* ulogd: display stack during configurationEric Leblond2013-04-201-1/+1
|
* Revert "ulogd: close logfile description in the exit path of parent process"Pablo Neira Ayuso2013-03-271-1/+0
| | | | | | | This reverts commit 3179bd4de89de7c2388849f5bc48e8f5aad9e5b9. Pointing to the wrong place. This is not the file descriptor that ulogd is leaking.
* ulogd: close logfile description in the exit path of parent processPablo Neira Ayuso2013-03-261-0/+1
| | | | | | | | | | | | | | | Joan Touzet reported that file descriptor 3 was not ever closed in the exit path of the parent process: open("ulogd.conf", O_RDONLY) = 3 That corresponds to the the file descriptor that was used to parse the configuration file was not closed. This closes: http://bugzilla.netfilter.org/show_bug.cgi?id=793 Reported-by: Joan Touzet <joant@cloudant.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ulogd: change verbosity of a messageEric Leblond2013-03-201-1/+1
| | | | | The "registering plugin" message is not really useful as the message is really explicit if a plugin is missing.
* nfct: use timestamp of conntrack object.Eric Leblond2013-03-051-10/+32
| | | | | | | If conntrack object sent by connection tracking system is containing a timestamp we use it instead of a gettimeofday() based counter. Signed-off-by: Eric Leblond <eric@regit.org>
* Prepare release number to 2.0.2ulogd-2.0.2Eric Leblond2013-02-252-125/+1
| | | | | Update release number and delete Changes file because we can use git changelog fot that.
* Update READMEEric Leblond2013-02-251-56/+63
| | | | Get rid of ULOG only documentation and adds some new stuffs.
* Update man page.Eric Leblond2013-02-251-7/+14
|