summaryrefslogtreecommitdiffstats
path: root/include
Commit message (Collapse)AuthorAgeFilesLines
* IPFIX: Introduce template record supportAnder Juaristi2019-04-301-0/+1
| | | | | | | | | | | | | | | | | | | | This commit adds the ability to send template records to the remote collector. In addition, it also introduces a new configuration parameter 'send_template', which tells when template records should be sent. It accepts the following string values: - "once": Send the template record only the first time (might be coalesced with data records). - "always": Send the template record always, with every data record that is sent to the collector (multiple data records might be sent together). - "never": Assume the collector knows the schema already. Do not send template records. If omitted, the default value for 'send_template' is "once". Signed-off-by: Ander Juaristi <a@juaristi.eus> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* IPFIX: Add IPFIX output pluginAnder Juaristi2019-04-301-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds an IPFIX output plugin to ulogd2. It generates NetFlow/IPFIX traces and sends them to a remote server (collector) via TCP or UDP. Based on original work by Holger Eitzenberger <holger@eitzenberger.org>. How to test this ---------------- I am currently testing this with the NFCT input and Wireshark. Place the following in ulogd.conf: # this will print all flows on screen loglevel=1 # load NFCT and IPFIX plugins plugin="/lib/ulogd/ulogd_inpflow_NFCT.so" plugin="/lib/ulogd/ulogd_output_IPFIX.so" stack=ct1:NFCT,ipfix1:IPFIX [ct1] netlink_socket_buffer_size=217088 netlink_socket_buffer_maxsize=1085440 accept_proto_filter=tcp,sctp [ipfix1] oid=1 host="127.0.0.1" #port=4739 #send_template="once" I am currently testing it by launching a plain NetCat listener on port 4739 (the default for IPFIX) and then running Wireshark and see that it dissects the IPFIX/NetFlow traffic correctly (obviously this relies on the Wireshark NetFlow dissector being correct). First: nc -vvvv -l 127.0.0.1 4739 Then: sudo ulogd -vc ulogd.conf Signed-off-by: Ander Juaristi <a@juaristi.eus> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Use stdint types everywhereFelix Janda2015-06-265-49/+52
| | | | Signed-off-by: Felix Janda <felix.janda@posteo.de>
* Sync with kernel headersFelix Janda2015-06-231-10/+18
| | | | Signed-off-by: Felix Janda <felix.janda@posteo.de>
* include: keep a copy of linux/netfilter_ipv4/ipt_ULOG.hPablo Neira Ayuso2014-11-143-2/+52
| | | | | | | | | | This fixes compilation if you use a Linux kernel >= 3.17. This problem occurs since ULOG was removed from mainstream: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7200135bc1e61f1437dc326ae2ef2f310c50b4eb Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=986 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* printpkt: oob.time.sec was not usedEric Leblond2014-03-071-1/+0
| | | | | | | This patch supresses the oob.time.sec from the input keys as this is not used when creating the string corresponding to the packet. Signed-off-by: Eric Leblond <eric@regit.org>
* store Common Information Model name in ulogd keyEric Leblond2014-01-281-0/+3
| | | | | | | | | | | | | | | | | | | This patch adds storage for CIM field name in ulogd key. This will be used by JSON output to interoperate with logging collector such as logstash or splunk. Common Information Model is an open standard that defines how managed elements in an IT environment are represented as a common set of objects and relationships between them: http://www.dmtf.org/standards/cim This seems to be mainly XML based but there is a JSON version of some aspects of the model. One of the main documentation on CIM in JSON format seems to be: http://docs.splunk.com/Documentation/PCI/2.0/DataSource/CommonInformationModelFieldReference Using the correct CIM field name allow events coming from ulogd to be correlated with events coming from other sources.
* db: set ring default size to 0Eric Leblond2014-01-251-1/+1
| | | | | | | | | As default size was non null, the ring system was activated by default. It was only possible to desactivate the ring system by setting it to ring_buffer_size to 0 in the configuration. This was not the attended behavior. This patch set it to 0 to have only explicit activation of the ring feature.
* nacct: fix format warningEric Leblond2014-01-251-0/+1
| | | | | | Some counter have been recently switch to u64. This has caused warnings relative to format string. This patch uses PRIu64 macro to fix these warnings.
* db: add ring buffer for DB queryEric Leblond2013-05-211-1/+30
| | | | | | | | | | | This patch adds an optional ring buffer option which modify the way database queries are made. The main thread is only handling kernel message reading and query formatting. The SQL request is made in a separate dedicated thread. The idea is to try to avoid buffer overrun by minimizing the time requested to treat kernel message. Doing synchronous SQL request, as it was made before was causing a delay which could cause some messages to be lost in case of burst from kernel side.
* db: use offset instead of direct pointer.Eric Leblond2013-05-211-1/+1
| | | | | Use an offset approach to get the start of values printing area. It is more generic and will be use soon.
* db: suppress field in db structureEric Leblond2013-05-211-1/+1
| | | | | The field is currently only used in a single function as a string pointer and can thus be removed from the db instance structure.
* db: store data in memory during database downtimeEric Leblond2013-05-211-5/+29
| | | | | | | This patch is adding a mechanism to store query in a backlog build in memory. This allow to store events during downtime in memory and realize the effective insertion when the database comes back. A memory cap is used to avoid any memory flooding.
* Add handling of too long line and arguments.Eric Leblond2013-02-181-0/+1
| | | | | When an argument or a line is too long, it can not be store into ulogd configuration and this must results in a error.
* Fix typo in comments.Eric Leblond2013-02-181-3/+3
|
* Fix make distcheckEric Leblond2013-01-251-1/+1
| | | | Recently introduced addr.h was missing from Makefile.am.
* Get rid of SVN tag in comment.Eric Leblond2013-01-185-6/+15
| | | | This patch also update some copyright and licence declaration.
* conf: add flag to allow option setup tuningEric Leblond2013-01-181-0/+4
| | | | | | This patch adds a flag to the config_entry structure to be able to tune setup. First usage is to ask config parser not to update a key if it has been already set.
* addr: add file containing addr utility functions.Eric Leblond2013-01-051-0/+18
|
* Add missing u64 function.Eric Leblond2012-12-211-0/+5
|
* src: fix version that -V displaysPablo Neira Ayuso2012-08-031-2/+0
| | | | | | | It was wrong, use VERSION constant which uses the version information available in configure.ac. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add ULOGD_DTYPE_SUM for nfacct-based accountingPablo Neira Ayuso2012-06-221-1/+2
| | | | | | This new type will be used in flow-up patch to support XML output. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* input: add nfacct pluginPablo Neira Ayuso2012-02-224-1/+41
| | | | | | This patch adds the nfacct plugin. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ulogd: add okey_set_u64Pablo Neira Ayuso2012-02-221-0/+6
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ulogd: fix double call of stop for reused input pluginsPablo Neira Ayuso2011-01-071-0/+2
| | | | | | | | | | | This patch adds reference counting for plugins. This is used to fix a double stop for input plugins that are reused. This problem was reported by Salih Gonullu <sag@open.ch>: http://marc.info/?l=netfilter&m=129439584700693&w=2 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* NFCT: use new hashtable implementation for better performancePablo Neira Ayuso2010-01-171-19/+15
| | | | | | | | This patch replaces the existing hashtable implementation with a newer that provide better performance since it reduces the number of hash computations. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Revert "ulogd: permit compilation of plugin outside of tree"Eric Leblond2009-04-183-4/+2
| | | | | | This reverts commit 0ff525cb0506b2c043bc9df6d7e7b486c865bc38. A stable and clean API should be provided if we choose to offer for external module capability.
* ulogd: permit compilation of plugin outside of treeEric Leblond2009-04-053-2/+4
| | | | | This patch modifies Makefile.am to install the headers needed for compilation of plugins outside of the source tree.
* ulogd: include config.h in all files.Eric Leblond2009-03-101-0/+1
| | | | | This patch adds config.h inclusion in ulogd.h to be able to use all defined value in the whole project.
* Fix crash on IPv6 packet.Eric Leblond2009-01-131-1/+4
| | | | | Incorrect definition of a IPv6 input key handling function was causing a crash in ulogd.
* Introduce config_stop() functionEric Leblond2008-12-091-0/+3
| | | | | This patch adds the config_stop function which is in charge of releasing ressources allocated for configuration file parsing.
* Unload plugins when quitting.Eric Leblond2008-12-091-0/+8
| | | | | This patch adds unloading of plugins (call dlclose()) in ulogd2. This make valgrind happy and will be useful for daemon live reconfiguration.
* SCTP support for PRINTPKT.Eric Leblond2008-12-091-0/+2
| | | | | | This patch modifies PRINTPKT plugin to add SCTP support. Signed-off-by: Eric Leblond <eric@inl.fr>
* add ukey_* function for key assignationPablo Neira Ayuso2008-12-091-1/+59
| | | | | | | | | This patch cleans up the current key assignation by introducing a set of functions ukey_* to set the key value as Eric Leblond and we discussed during the latest Netfilter Workshop. This patch is based on an idea from Holger Eitzenberger. Signed-off-by: Eric Leblond <eric@inl.fr>
* distrib: fix distcheck magiculogd-2.0.0beta2Pablo Neira Ayuso2008-08-151-1/+1
| | | | | | This patch fixes the `make distcheck' magic Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cleanup: remove unused timeout parameter in functionEric Leblond2008-07-311-1/+1
| | | | | | | | The function ipulog_read had a timeout parameter which was not used in the code. Signed-off-by: Eric Leblond <eric@inl.fr> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cleanup for key builder and fix IPv6 support and introduce 128-bits typePablo Neira Ayuso2008-06-021-0/+14
| | | | | | This patch cleans up the key building by breaking lines at 80 columns and it fixes the IPv6 support (use of a pointer after free) by introducing a new 128 bit type.
* rework NFCT to use a generic hashtablePablo Neira Ayuso2008-06-023-0/+234
| | | | | | | | This patch introduces a generic hashtable to store the nf_conntrack objects. The objects are identified by the original and reply tuples instead of the conntrack ID which is not dumped in the event message of linux kernel < 2.6.25. This patch also fixes the NFCT_MSG_* by NFCT_T_* which is the appropriate message type tag.
* Print GID/MARK in printpkt.c/C=EU/ST=EU/CN=Patrick McHardy/emailAddress=kaber@trash.net2008-04-211-0/+2
|
* This patch suppress a now unused option. Each database module/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-071-8/+3
| | | | | | have now to be used with a defined IP storage type. Signed-off-by: Eric Leblond <eric@inl.fr>
* This patch fixes a problem in SQL reconnection algorithm which is managed in/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-051-0/+2
| | | | | | | | | | | | | | the db.c file for PgSQL and MySQL. In case of problem during request execution a new connection to the database was immediatly started without closing the previous one. The consequence was to block the database by having too much simultaneous open connections. This patch fixes the problem by disconnectinng from the database after a request failure and trying to reconnect after a delay which is by default of 2 secondes. This delay can be customized via the reconnect configuration variable in the database configuration section. Signed-off-by: Eric Leblond <eric@inl.fr>
* This patch adds support of event type display in printflow filter. This is used/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-03-261-1/+1
| | | | | | | | | | to display event type in textual output modules. Here's an output example: [DESTROY] ORIG: SRC=192.168.1.2 DST=192.168.1.255 PROTO=UDP SPT=631 DPT=631 \\ PKTS=1 BYTES=197 , REPLY: SRC=192.168.1.255 DST=192.168.1.2 \\ PROTO=UDP SPT=631 DPT=631 PKTS=0 BYTES=0 Signed-off-by: Eric Leblond <eric@inl.fr>
* This patch adds plist a linked list to the pluginstance/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-03-251-0/+2
| | | | | | | | structure. It can be used by input modules to duplicate an entry. This solves the issue of not being able to use the same plugin instance twice. Signed-off-by: Eric Leblond <eric@inl.fr>
* IP2BIN filter convert IP address from host storage to a "binary" string which/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-03-251-0/+1
| | | | | | | | | | | can be use by MySQL. This is not strictly speaking raw data but it was of type RAW. Following remark from Hugo Mildenberger, I introduce in this patch a dedicated type ULOGD_RET_RAWSTR. The main reason not to use a ULOGD_RET_STRING parameter is that the paramater is not human readable. Signed-off-by: Eric Leblond <eric@inl.fr>
* add missing timer.h/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-02-221-0/+26
|
* - implement a synchronous timer framework/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-02-193-12/+163
| | | | - fix crash when enabling pollinterval clause in flow-based accounting
* This patch adds support for AF_BRIDGE to the PRINTPKT plugin, which allows ↵/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-02-191-0/+8
| | | | | | to form log lines for packets coming from ebtables. Currently it supports IPv4, IPv6 and ARP. Signed-off-by: Peter Warasin <peter@endian.com>
* From: Eric Leblond <eric@inl.fr>/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-02-091-0/+1
| | | | Add UID display to PRINTPKT filter.
* From: Eric Leblond <eric@inl.fr>/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-02-091-0/+5
| | | | | | | Some macros were defined several time. This was the case of GET_VALUE, pp_is_valid. This patch puts the definition in ulogd.h and fixes the definition of pp_is_valid which was wrong (causing segfault by acessing to fields at NULL).
* From: Eric leblond <eric@inl.fr>/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-02-031-2/+0
| | | | | - This patch suppress key relative to IPv6 address because IPv4 and IPv6 can be stored in the same key. - Add missing IP2STR line to ulogd.conf.in