path: root/
Commit message (Collapse)AuthorAgeFilesLines
* ulogd: json: send messages to a remote host / unix socketAndreas Jaggi2018-06-011-0/+11
| | | | | | | | Extend the JSON output plugin so that the generated JSON stream can be sent to a remote host via TCP/UDP or to a local unix socket. Signed-off-by: Andreas Jaggi <> Signed-off-by: Pablo Neira Ayuso <>
* ulogd: load all plugins by defaultArturo Borrero Gonzalez2018-01-081-16/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | This new configuration behaviour option eases a bit the configuration of ulogd2 by allowing to load all plugins in one go, without having to know their full path. Choosing concrete plugins and using full path for them is great for some environmnets, but I don't think it's a common case. The common case is to load all plugins, even ignoring where do they live in the filesystem. Even worse, the full path may be architecture-dependant, which makes copying the ulogd.conf file between machines unnecesarily complex. To experiment this new behaviour, don't put any 'plugin=' directive in the config file. Plugins will be loaded from a default directory, choosen at build/configure time (--with-ulogd2libdir). If no specified, this is something like '/usr/local/lib/ulogd/'. This new configuration option doesn't implement any special logic. We simply open the dir and try to load all files ending with '.so'. The log message level for plugins loading is increased so users can see by default which plugins are loaded. Signed-off-by: Arturo Borrero Gonzalez <> Signed-off-by: Pablo Neira Ayuso <>
* ulogd.conf: fix incorrect stackEric Leblond2017-03-211-1/+1
| | | | | | | The stack was not correctly defined triggering an error on type conflict. Signed-off-by: Eric Leblond <>
* sqlite3: Remove unused "buffer" option.Alex Xu2016-01-191-2/+0
| | | | | | | This option was left behind when the code was rewritten and is no longer functional or useful. Remove it entirely. Signed-off-by: Alex Xu (Hello71) <>
* json: output messages in JSONv1 formatVincent Bernat2015-10-021-0/+3
| | | | | | | | | | | | | | | | | | While Logstash is quite flexible in the JSON messages received, the canonical format it "expects" is the JSON Event v1 format. The timestamp should be keyed by `@timestamp` and there should be a `@version` key whose value is 1. All other keys are free. There is no formal specification of this format. It is however described here: It's useful to respect this format as it allows a user to use a less capable receiver. The new format is enabled only when `eventv1=1` is set in plugin configuration. Signed-off-by: Vincent Bernat <>
* json: introduce new JSON output pluginEric Leblond2014-01-281-0/+15
| | | | | | | | | | | | | | This patch introduces a new JSON output plugin. This patch displays CIM field name instead of ulogd key valu if this CIM field is available. The module does not display binary address but uses the string version of them. So a complete stack is for example: stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:HWHDR,json1:JSON If boolean_label is set to 1, then the numeric_label put on packet by the input plugin is coding the decision on packet. If 0, then packet has been blocked and if non null it has been accepted.
* ulogd.conf: add missing quote.Eric Leblond2013-10-101-1/+1
| | | | | | | | Pcap file variable was not quoted. This was confusing as the correct file was not open if the user did uncomment the variable. Signed-off-by: Eric Leblond <>
* pgsql: add var to specify arbitrary conn paramsEric Leblond2013-06-081-0/+6
| | | | | | | | | This patch adds a configuration variable for PostgreSQL output. Named connstring it stores the character string that will be used to connect to the PostgreSQL server. This allows the user to use all options available like TLS parameters for example. Signed-off-by: Eric Leblond <>
* db: add ring buffer for DB queryEric Leblond2013-05-211-0/+4
| | | | | | | | | | | This patch adds an optional ring buffer option which modify the way database queries are made. The main thread is only handling kernel message reading and query formatting. The SQL request is made in a separate dedicated thread. The idea is to try to avoid buffer overrun by minimizing the time requested to treat kernel message. Doing synchronous SQL request, as it was made before was causing a delay which could cause some messages to be lost in case of burst from kernel side.
* db: store data in memory during database downtimeEric Leblond2013-05-211-0/+9
| | | | | | | This patch is adding a mechanism to store query in a backlog build in memory. This allow to store events during downtime in memory and realize the effective insertion when the database comes back. A memory cap is used to avoid any memory flooding.
* Get rid of SVN tag in comment.Eric Leblond2013-01-181-1/+0
| | | | This patch also update some copyright and licence declaration.
* Add -l option to set log level from command lineEric Leblond2013-01-181-2/+2
| | | | | | This patch adds a '-l' option which can be used to setup ulogd loglevel. Command line option has precedence on the configuration file one.
* nfct: add protocol filterEric Leblond2013-01-051-0/+1
| | | | | | | This patch adds a new configuration variable which is used to limit conntrack event to connection of these protocols: For example: accept_proto_filter=tcp,sctp
* nfct: implement src and dst filterEric Leblond2013-01-051-0/+4
| | | | | | | This patch implements two filtering options in NFCT input plugin. If 'accept_src_filter' is set to a network it will only catch the event where the source is that specific network. 'accept_dst_filter' does the same for the destination.
* Add GRAPHITE output module.Eric Leblond2012-12-271-0/+10
| | | | | | | Graphite is a web application which provide real-time visualization and storage of numeric time-series data. This patch adds a module named GRAPHITE which sends NFACCT accounting data to a graphite server.
* Handle postgresql schemas correctlyBob Hockney2012-12-191-0/+4
| | | | Add 'schema' variable to look into corresponding schema.
* ulogd.conf: slightly expand documentation on zerocounter option for nfacctPablo Neira Ayuso2012-08-031-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <>
* nfacct: add timestamp optionEric Leblond2012-08-031-0/+3
| | | | | | | | | This patch adds a timestamp option to the nfacct plugin. If activated, nfacct output a timestamp which is computed just after sending the nfacct request. Signed-off-by: Eric Leblond <> Signed-off-by: Pablo Neira Ayuso <>
* pgsql schema: add nfacct tableEric Leblond2012-08-031-0/+8
| | | | | | | | This patch adds a nfacct table to the postgresql schema. It enables the storage of all counters at each poll. Signed-off-by: Eric Leblond <> Signed-off-by: Pablo Neira Ayuso <>
* nfacct: add variable to not zero counter after readEric Leblond2012-08-031-0/+2
| | | | | | | | | | | | The default nfacct input plugin zeroes counter after each read. This is a limitation as other software can't use the counter at the same time as ulogd2. This patch adds the zerocounter variable to the NFACCT input plugin. If set to zero, the counters are not zeroed. Signed-off-by: Eric Leblond <> Signed-off-by: Pablo Neira Ayuso <>
* output: XML: support for NFACCT input pluginPablo Neira Ayuso2012-06-221-0/+3
| | | | | | | | | This patch extends XML plugin to support NFACCT. You can use the following line in ulogd.conf to test it: stack=acct1:NFACCT,xml1:XML Signed-off-by: Pablo Neira Ayuso <>
* build: use pkglibdir instead of pkglibexecdir for automakeBjörn Lässig2012-05-181-24/+24
| | | | | | | | | | | This fixes the following problem while running `autoreconf -fi` `pkglibexecdir' is not a legitimate directory for `LTLIBRARIES' variable `ulogd_filter_PRINTPKT_la_SOURCES' is defined but no program or library has `ulogd_filter_PRINTPKT_la' as canonical name (possible typo) Signed-off-by: Björn Lässig <> Signed-off-by: Pablo Neira Ayuso <>
* NFCT: add `reliable' config option to enable reliable flow-based loggingPablo Neira Ayuso2012-03-051-0/+1
| | | | | | | | | | | | Reliability comes at the cost of dropping new flows if the destroy event that ctnetlink delivers to us is lost. Under heavy stress this may imply dropping packets, you've been warned. If you do want not to lose one single flow-logging information, enable this. Signed-off-by: Pablo Neira Ayuso <>
* src: add example use of GPRINT to configuration filePablo Neira Ayuso2012-02-221-3/+5
| | | | | | | | | | | | | | | Example on how this display one conntrack: timestamp=2012/02/22-13:16:54,orig.ip.saddr=,orig.ip.daddr=,orig.ip.protocol=6,,orig.l4.dport=80,orig.raw.pktlen=1206,orig.raw.pktcount=4,reply.ip.saddr=,reply.ip.daddr=,reply.ip.protocol=6,,reply.l4.dport=58221,reply.raw.pktlen=1104,reply.raw.pktcount=3,ct.mark=0,,ct.event=4,flow.end.sec=1329913014,flow.end.usec=413771,,oob.protocol=0 and one NFLOG line look like this timestamp=2012/02/22-13:21:24,raw.pktlen=40,raw.pktcount=1,oob.prefix=test,oob.time.sec=1329913284,oob.time.usec=226795,oob.mark=0,oob.ifindex_in=3,oob.hook=1,raw.mac_len=14,,oob.protocol=2048,raw.label=0,raw.type=1,raw.mac.addrlen=6 People that like parsing comma-separated key-value files will like this. Signed-off-by: Pablo Neira Ayuso <>
* input: add nfacct pluginPablo Neira Ayuso2012-02-221-0/+7
| | | | | | This patch adds the nfacct plugin. Signed-off-by: Pablo Neira Ayuso <>
* output: add GPRINT pluginPablo Neira Ayuso2012-02-221-0/+6
| | | | | | | | | | This patch adds GPRINT which is a generalization of OPRINT. It display the set of key-values separated by commas. This is the generic print that you can attach to whatever kind of input plugin. Signed-off-by: Pablo Neira Ayuso <>
* A simple filter plugin called IP2HBIN addedJozsef Kadlecsik2012-01-161-0/+1
| | | | | | | | The plugin converts the IPv4 addresses to host order for databases like MySQL. The expected name of the table fields are ip.hsaddr, ip.hdaddr, etc. Signed-off-by: Jozsef Kadlecsik <>
* pcap: add file option to configuration fileEric Leblond2011-09-011-0/+2
| | | | | Signed-off-by: Eric Leblond <> Signed-off-by: Pablo Neira Ayuso <>
* sqlite3: add configuration examples and new tables layoutPablo Neira Ayuso2011-02-251-0/+16
| | | | | | | | | | This patch adds two configuration examples for sqlite3 to log flows and packets. We use two tables, one for packet logging information, and another for flow-based information. Signed-off-by: Pablo Neira Ayuso <>
* config: add file option for NACCT pluging to the example config filePablo Neira Ayuso2011-02-241-0/+1
| | | | Signed-off-by: Pablo Neira Ayuso <>
* build: use appropriate location for program modulesJan Engelhardt2011-02-011-21/+21
| | | | | | | Modules - since they are dependent on the executable - generally go to libexec/. Signed-off-by: Jan Engelhardt <>
* Add new input plugin UNIXSOCKPierre Chifflier2010-10-231-0/+7
| | | | | | | | | This input plugins creates a unix socket which can be used to log packets. Scripts or applications can connect to the socket (only one client allowed per socket) and send data in a Key-Length-Value format (including the payload). Signed-off-by: Pierre Chifflier <>
* ulogd.conf: fix mysql definition for NFCTEric Leblond2010-09-221-1/+1
| | | | Mysql definition for NFCT usage was not correct.
* output: add new plugin XML to output logs in XMLPablo Neira Ayuso2010-06-171-0/+11
| | | | | | | This patch adds XML that allows to log information in XML for ulogd2. It supports packet and flow-based accounting. Signed-off-by: Pablo Neira Ayuso <>
* NFCT: change `pollinterval' behaviourPablo Neira Ayuso2010-01-171-0/+1
| | | | | | | | | | | | | | | This patch adds support for poll-based logging. Basically, ulogd polls from the kernel periodically to log entries. You can use the `pollinterval' option in the configuration file to set the polling period. This patch changes the current behaviour of `pollinterval' that allowed to mix both the event-driven logging with polling periodically from the kernel. I have tried to look for anyone in google (and asking Eric Leblond) using this feature but I found noone. Signed-off-by: Pablo Neira Ayuso <>
* NFCT: add configurable option to set the value of the resynchronization timerPablo Neira Ayuso2009-07-221-0/+1
| | | | | | | | | This patch adds `netlink_resync_timeout' that allows you to set the number of seconds that we wait to perform a resynchronization due to a netlink overrun. This patch changes the default timeout from 2 to 60 seconds (less agressive). Signed-off-by: Pablo Neira Ayuso <>
* nflog: adjust unit which was inaccurate.Eric Leblond2009-03-061-2/+2
| | | | | Timeout unit is 10ms and not 1ms. This patch fixes an invalid comment in the configuration file.
* Add threshold and timeout option to NFLOG plugin.Eric Leblond2009-01-291-0/+4
| | | | | This patch adds support for setting NFLOG threshold and timeout from ulogd.
* fix config file: MAC2STR has been renamed to HWHDR.Eric Leblond2009-01-131-2/+2
| | | | | This patch replaces all MAC2STR occurences by HWHDR to sync with the renaming of the plugin.
* Add variable to force binding of nfnetlink_log.Eric Leblond2009-01-051-0/+6
| | | | | | | | | | | | | This patch updates the behaviour of the NFLOG input plugin to fix an issue related to kernel older than 2.6.29. The call to nflog_bind_pf() that can be necessary to receive packet from the nfnetlink_log was only done if the used group was 0 (system logging). This is logic for the newest kernel (NFLOG really sends message to nfnetlink_log and not to the nf_log logger). But this is unsufficient for older one. By forcing the binding with the new configuration variable bind, it is now possible to trigger the binding from the ulogd2 configuration file. This gives users a way to be sure that ulogd will receive packets if the NFLOG input plugin is used.
* Document group 0 usage and suppress address_familyEric Leblond2008-12-091-17/+20
| | | | | | | | Document the fact that group 0 is used by system logging and update stack and plugin definition to match the suppression of the address_family variable. Signed-off-by: Eric Leblond <>
* Add new output plugin DBIPierre Chifflier2008-12-091-0/+10
| | | | | | | | | libdbi implements a database-independent abstraction layer in C, similar to the DBI/DBD layer in Perl. This module brings support for all database types supported by libdbi. Signed-off-by: Pierre Chifflier <> Signed-off-by: Eric Leblond <>
* hwhdr: finish missing renamingPierre Chifflier2008-10-201-1/+1
| | | | | | | MAC2STR has been renamed to HWHDR. Signed-off-by: Pierre Chifflier <> Signed-off-by: Pablo Neira Ayuso <>
* config: remove obsolete global variablesEric Leblond2008-09-121-7/+0
| | | | | | | | | 'rmem' and 'bufsize' global variables are unherited from ulogd1 and are not used anymore. This patch suppresses them from the example configuration file. Signed-off-by: Eric Leblond <> Signed-off-by: Pablo Neira Ayuso <>
* Update configfile for MARK moduleEric Leblond2008-06-121-1/+8
| | | | | | Add stack example for MARK and update some wrong stacks. Signed-off-by: Eric Leblond <>
* adds some examples to the configuration fileEric Leblond2008-06-021-0/+36
* improve overrun handling NFLOGPablo Neira Ayuso2008-06-021-0/+2
| | | | | | | | This patch improves the overrun handling. The NFLOG plugin duplicates the netlink buffer size if the size does not goes after the upper boundary. This patch also introduces two new clauses, the netlink_socket_buffer_size and netlink_socket_buffer_maxsize that set the size of the netlink socket buffer.
* improve netlink overrun handling of NFCTPablo Neira Ayuso2008-06-021-0/+2
| | | | | | | | | | | | | | | This patch improves the overrun handling. The logic behind this patch consists of two steps: 1) duplicate the netlink buffer size if the size does not goes after the upper boundary. 2) scheduling a resynchronization (in two seconds) with the kernel conntrack table if we hit ENOBUFS. During the resynchronization, the NFCT plugin dumps the current table and purges the objects that do not exist anymore. This patch also introduces two new clauses, the netlink_socket_buffer_size and netlink_socket_buffer_maxsize that set the size of the netlink socket buffer.
* This patchset adds support for the "numeric_label" option. For instance, it/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-291-0/+2
| | | | | | | can be used to determine if the packet has been dropped, rejected or accepted. The meaning of label is completely user-defined. Signed-off-by: Eric Leblond <>
* example for logging IPv6 packet to PGsql after a collect via NFLOG/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-131-1/+2
| | | | Signed-off-by: Anton Vazir <>