| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch adds a timestamp option to the nfacct plugin.
If activated, nfacct output a timestamp which is computed just
after sending the nfacct request.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds a nfacct table to the postgresql schema. It enables
the storage of all counters at each poll.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The default nfacct input plugin zeroes counter after each read. This
is a limitation as other software can't use the counter at the same
time as ulogd2.
This patch adds the zerocounter variable to the NFACCT input plugin.
If set to zero, the counters are not zeroed.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch extends XML plugin to support NFACCT. You can use
the following line in ulogd.conf to test it:
stack=acct1:NFACCT,xml1:XML
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This fixes the following problem while running `autoreconf -fi`
`pkglibexecdir' is not a legitimate directory for `LTLIBRARIES'
variable `ulogd_filter_PRINTPKT_la_SOURCES' is defined but no program or
library has `ulogd_filter_PRINTPKT_la' as canonical name (possible typo)
Signed-off-by: Björn Lässig <laessig@bitformer.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Reliability comes at the cost of dropping new flows if the
destroy event that ctnetlink delivers to us is lost. Under
heavy stress this may imply dropping packets, you've been
warned.
If you do want not to lose one single flow-logging information,
enable this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Example on how this display one conntrack:
timestamp=2012/02/22-13:16:54,orig.ip.saddr=192.168.1.129,orig.ip.daddr=173.194.34.235,orig.ip.protocol=6,orig.l4.sport=58221,orig.l4.dport=80,orig.raw.pktlen=1206,orig.raw.pktcount=4,reply.ip.saddr=173.194.34.235,reply.ip.daddr=192.168.1.129,reply.ip.protocol=6,reply.l4.sport=80,reply.l4.dport=58221,reply.raw.pktlen=1104,reply.raw.pktcount=3,ct.mark=0,ct.id=846180008,ct.event=4,flow.end.sec=1329913014,flow.end.usec=413771,oob.family=2,oob.protocol=0
and one NFLOG line look like this
timestamp=2012/02/22-13:21:24,raw.pktlen=40,raw.pktcount=1,oob.prefix=test,oob.time.sec=1329913284,oob.time.usec=226795,oob.mark=0,oob.ifindex_in=3,oob.hook=1,raw.mac_len=14,oob.family=2,oob.protocol=2048,raw.label=0,raw.type=1,raw.mac.addrlen=6
People that like parsing comma-separated key-value files will
like this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch adds the nfacct plugin.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This patch adds GPRINT which is a generalization of OPRINT.
It display the set of key-values separated by commas. This is
the generic print that you can attach to whatever kind of
input plugin.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The plugin converts the IPv4 addresses to host order for databases
like MySQL. The expected name of the table fields are ip.hsaddr,
ip.hdaddr, etc.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
| |
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@gnumonks.org>
|
| |
|
|
|
|
|
|
|
|
| |
This patch adds two configuration examples for sqlite3 to log
flows and packets.
We use two tables, one for packet logging information, and
another for flow-based information.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Modules - since they are dependent on the executable - generally go to
libexec/.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
|
| |
This input plugins creates a unix socket which can be used to log packets.
Scripts or applications can connect to the socket (only one client allowed
per socket) and send data in a Key-Length-Value format (including the
payload).
Signed-off-by: Pierre Chifflier <chifflier@edenwall.com>
|
| |
|
|
| |
Mysql definition for NFCT usage was not correct.
|
| |
|
|
|
|
|
| |
This patch adds XML that allows to log information in XML for
ulogd2. It supports packet and flow-based accounting.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support for poll-based logging. Basically,
ulogd polls from the kernel periodically to log entries. You
can use the `pollinterval' option in the configuration file to
set the polling period.
This patch changes the current behaviour of `pollinterval'
that allowed to mix both the event-driven logging with
polling periodically from the kernel. I have tried to look
for anyone in google (and asking Eric Leblond) using this
feature but I found noone.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch adds `netlink_resync_timeout' that allows you to set
the number of seconds that we wait to perform a resynchronization
due to a netlink overrun. This patch changes the default timeout
from 2 to 60 seconds (less agressive).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Timeout unit is 10ms and not 1ms. This patch fixes an invalid comment
in the configuration file.
|
| |
|
|
|
| |
This patch adds support for setting NFLOG threshold and timeout
from ulogd.
|
| |
|
|
|
| |
This patch replaces all MAC2STR occurences by HWHDR to sync with the
renaming of the plugin.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch updates the behaviour of the NFLOG input plugin to fix an
issue related to kernel older than 2.6.29. The call to nflog_bind_pf()
that can be necessary to receive packet from the nfnetlink_log was only
done if the used group was 0 (system logging). This is logic for the
newest kernel (NFLOG really sends message to nfnetlink_log and not to
the nf_log logger). But this is unsufficient for older one. By forcing
the binding with the new configuration variable bind, it is now possible
to trigger the binding from the ulogd2 configuration file. This gives
users a way to be sure that ulogd will receive packets if the NFLOG
input plugin is used.
|
| |
|
|
|
|
|
|
| |
Document the fact that group 0 is used by system logging and
update stack and plugin definition to match the suppression
of the address_family variable.
Signed-off-by: Eric Leblond <eric@inl.fr>
|
| |
|
|
|
|
|
|
|
| |
libdbi implements a database-independent abstraction layer in C, similar to
the DBI/DBD layer in Perl.
This module brings support for all database types supported by libdbi.
Signed-off-by: Pierre Chifflier <chifflier@inl.fr>
Signed-off-by: Eric Leblond <eric@inl.fr>
|
| |
|
|
|
|
|
| |
MAC2STR has been renamed to HWHDR.
Signed-off-by: Pierre Chifflier <chifflier@inl.fr>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
'rmem' and 'bufsize' global variables are unherited from ulogd1
and are not used anymore. This patch suppresses them from the
example configuration file.
Signed-off-by: Eric Leblond <eric@inl.fr>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Add stack example for MARK and update some wrong stacks.
Signed-off-by: Eric Leblond <eric@inl.fr>
|
| | |
|
| |
|
|
|
|
|
|
| |
This patch improves the overrun handling. The NFLOG plugin duplicates the
netlink buffer size if the size does not goes after the upper boundary.
This patch also introduces two new clauses, the netlink_socket_buffer_size
and netlink_socket_buffer_maxsize that set the size of the netlink socket
buffer.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch improves the overrun handling. The logic behind this patch
consists of two steps:
1) duplicate the netlink buffer size if the size does not goes after the
upper boundary.
2) scheduling a resynchronization (in two seconds) with the kernel conntrack
table if we hit ENOBUFS. During the resynchronization, the NFCT plugin dumps
the current table and purges the objects that do not exist anymore.
This patch also introduces two new clauses, the netlink_socket_buffer_size
and netlink_socket_buffer_maxsize that set the size of the netlink socket
buffer.
|
| |
|
|
|
|
|
| |
can be used to determine if the packet has been dropped, rejected or accepted.
The meaning of label is completely user-defined.
Signed-off-by: Eric Leblond <eric@inl.fr>
|
| |
|
|
| |
Signed-off-by: Anton Vazir <anton.vazir@gmail.com>
|
| |
|
|
|
|
| |
some stack to take my latest patches into account.
Signed-off-by: Eric Leblond <eric@inl.fr>
|
| |
|
|
|
|
| |
loading and stack example.
Signed-off-by: Eric Leblond <eric@inl.fr>
|
| |
|
|
|
|
| |
nflog out to LOGEMU and SYSLOG. It also fixes a config bug with ipv6 (log2)
Signed-off-by: Peter Warasin <peter@endian.com>
|
| |
|
|
| |
Document the difference between IPv4 and IPv6 logging.
|
| |
|
|
|
|
| |
This patch adds some examples of stack to the configuration file.
It also fixes some comments to avoid confusion. IP2BIN has been
added to the list of loaded modules.
|
| |
|
|
|
| |
- This patch suppress key relative to IPv6 address because IPv4 and IPv6 can be stored in the same key.
- Add missing IP2STR line to ulogd.conf.in
|
| |
|
|
|
|
|
|
|
| |
This patch adds new SQL schema for MySQL and PGsql. The goal is to improve the one line per entry format. There is no more a big table with all fields because this sort of storage is causing bad performance (databases don't like to have a lot of NULL fields to store).
Main changes are :
* Add new schema for MySQL and PGsql
* Use call to configurable procedure in SQL OUTPUT modules
* Arguments of a procedure are given by the list of fields of a selected table
|
| |
|
|
|
|
|
| |
The ULOG input plugin of ulogd2 was not working. This patch fixes this
and cleans the code via introduction of an enum.
Eric Leblond <eric@inl.fr>
|
| |
|
|
|
|
|
| |
- add a call to autoheader which is needed to compile ulogd2 from subversion.
- add a warning message to ulogd2 when it exits on error. It simply tell to look at the configuration file.
- add an empty section which is needed to have NFCT logging
working.
|
| |
|
|
| |
output is compatible with the SYSLOG and LOGEMU plugins. (Philip Craig)
|
| |
|
|
|
| |
a separate PRINTPKT plugin. This reduces code duplication, and also
makes the SYSLOG and LOGEMU plugins more general. (Philip Craig)
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
(rmem config file entry)
|
|
|
configure.. (Magnus Boden)
|
