| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds an IPFIX output plugin to ulogd2. It generates NetFlow/IPFIX
traces and sends them to a remote server (collector) via TCP or UDP.
Based on original work by Holger Eitzenberger <holger@eitzenberger.org>.
How to test this
----------------
I am currently testing this with the NFCT input and Wireshark.
Place the following in ulogd.conf:
# this will print all flows on screen
loglevel=1
# load NFCT and IPFIX plugins
plugin="/lib/ulogd/ulogd_inpflow_NFCT.so"
plugin="/lib/ulogd/ulogd_output_IPFIX.so"
stack=ct1:NFCT,ipfix1:IPFIX
[ct1]
netlink_socket_buffer_size=217088
netlink_socket_buffer_maxsize=1085440
accept_proto_filter=tcp,sctp
[ipfix1]
oid=1
host="127.0.0.1"
#port=4739
#send_template="once"
I am currently testing it by launching a plain NetCat listener on port
4739 (the default for IPFIX) and then running Wireshark and see that it
dissects the IPFIX/NetFlow traffic correctly (obviously this relies on
the Wireshark NetFlow dissector being correct).
First:
nc -vvvv -l 127.0.0.1 4739
Then:
sudo ulogd -vc ulogd.conf
Signed-off-by: Ander Juaristi <a@juaristi.eus>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This new configuration behaviour option eases a bit the configuration of ulogd2
by allowing to load all plugins in one go, without having to know their full
path.
Choosing concrete plugins and using full path for them is great for some
environmnets, but I don't think it's a common case. The common case is to
load all plugins, even ignoring where do they live in the filesystem.
Even worse, the full path may be architecture-dependant, which makes copying
the ulogd.conf file between machines unnecesarily complex.
To experiment this new behaviour, don't put any 'plugin=' directive in the
config file. Plugins will be loaded from a default directory, choosen at
build/configure time (--with-ulogd2libdir). If no specified, this is something
like '/usr/local/lib/ulogd/'.
This new configuration option doesn't implement any special logic. We simply
open the dir and try to load all files ending with '.so'.
The log message level for plugins loading is increased so users can see by
default which plugins are loaded.
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This option will be needed for future version of automake.
Signed-off-by: Eric Leblond <eric@regit.org>
|
|
|
|
|
| |
In some cases you may not want to build a certain output plugin, even
if the headers/libraries actually exist on the build host.
|
|
|
|
| |
Without that --disable-FEATURE is not working correctly.
|
|
|
|
|
| |
ULOG target is removed from kernel so we can prepare the removal
of the plugin for ulogd. For now, we just add a configure flag.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This fixes compilation if you use a Linux kernel >= 3.17. This problem
occurs since ULOG was removed from mainstream:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7200135bc1e61f1437dc326ae2ef2f310c50b4eb
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=986
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Eric Leblond <eric@regit.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces a new JSON output plugin. This
patch displays CIM field name instead of ulogd key valu
if this CIM field is available.
The module does not display binary address but uses the
string version of them. So a complete stack is for example:
stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:HWHDR,json1:JSON
If boolean_label is set to 1, then the numeric_label put on packet
by the input plugin is coding the decision on packet. If 0, then
packet has been blocked and if non null it has been accepted.
|
|
|
|
|
|
|
|
|
| |
Some uClibc-based toolchains lack threading support, so use
AC_SEARCH_LIB instead of AC_CHECK_LIB to check for libpthread
availability and link conditionally if found since it's only used for
the database backends.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
|
|
|
|
| |
Signed-off-by: Eric Leblond <eric@regit.org>
|
|
|
|
|
|
| |
In case nfacct is not enabled in ulogd2, libmnl is not used. So it shouldn't
be a hard global dependency, but instead only a dependency in case nfacct is
enabled.
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds an optional ring buffer option which modify
the way database queries are made. The main thread is only handling
kernel message reading and query formatting. The SQL request is made
in a separate dedicated thread.
The idea is to try to avoid buffer overrun by minimizing the time
requested to treat kernel message. Doing synchronous SQL request, as
it was made before was causing a delay which could cause some messages
to be lost in case of burst from kernel side.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ulogd has automagic deps for several output plugins right now, namely dbi,
pcap and sqlite3. These plugins are built if the appropriate libs are present
on user's system. While this situation is fine with binary distros it is not OK
on source-based ones such as Gentoo.
The problem arises when such a program links against libs without user's
request and libs are later removed from system which leaves program in a
broken state.
This patch is modifying configure.ac which we apply in our package and which
fixes mentioned issue. It adds 3 new configure options: --
without-{dbi,pcap.sqlite}. I would like to emphasize that this patch doesn't
change default behaviour of configure script at all, so all other distros won't
suffer. We simply add options to explicitly disable any attempts to try and
detect libs for automagic deps, which is enough to avoid unnecessary linkage.
|
|
|
|
|
| |
Update release number and delete Changes file because we can use
git changelog fot that.
|
|
|
|
|
|
|
|
|
| |
/usr/share/automake-1.12/am/ltlibrary.am: warning:
'ulogd_output_SQLITE3.la': linking libtool libraries using a non-POSIX
archiver requires 'AM_PROG_AR' in 'configure.ac'
(one for each .la)
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
| |
This patch modifies configure to display the list of plugins that
will be built.
|
| |
|
| |
|
|
|
|
|
|
| |
It is now possible to pass the --disable-nfacct flag to disable
compilation of NFACCT input plugin. Doing this the build of ulogd
is possible on system where nfacct is not available.
|
|
|
|
|
|
|
|
| |
The AM_CONDITIONAL lacks the opening bracket, hence it always evaluates
as true, even if there's no libpcap found thus causing build breakage.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
And update library dependency. Push users to upgrade to get fixes
from library releases.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
<obj><name>test</name><pkts>00000000000000000000</pkts><bytes>00000000000000000000</bytes><hour>17</hour><min>46</min><sec>47</sec><wday>6</wday><day>22</day><month>6</month><year>2012</year></obj>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Bump library version requirement to relatively recent releases of
all libraries (ie. 1.0.0 release).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
pcap is not found reliably by either --with-pcap=%_prefix or
--with-pcap-lib=%_libdir --with-pcap-inc=%_includedir.
If you have any special paths, just use
./configure CPPFLAGS="-I/my/pcap" LDFLAGS="-L/my/pcap"
(And -lpcap is already known so no need to specify that.)
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
| |
This patch adds the nfacct plugin.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
| |
|
|
|
|
|
| |
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@gnumonks.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
With pkg-config variables, even a non-installed sqlite3 can be
configured easily.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Modules - since they are dependent on the executable - generally go to
libexec/.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
| |
The variable contains global libraries linked into every possible
object, which is unwanted. Clean up things.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
| |
PKG_CHECK_MODULES already produces its own (and more verbose) messsage
when a module cannot be found.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
| |
We must not override CFLAGS, because that will break when the user
overrides CFLAGS again at make time (which he is entitled to). So,
name our CFLAGS regular_CFLAGS, and also include that across all
Makefiles so that they are actually uesd for all the code.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Some constructs in there are old-fashioned. Replace them by their
modern counterparts.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|