| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Felix Janda <felix.janda@posteo.de>
|
|
|
|
|
|
|
| |
This patch supresses the oob.time.sec from the input keys as this
is not used when creating the string corresponding to the packet.
Signed-off-by: Eric Leblond <eric@regit.org>
|
|
|
|
|
|
| |
This patch improves database reconnection handling in ring buffer
mode. Ulogd now redo the failed query and do not loose anymore
one packet.
|
|
|
|
|
|
| |
Injection thread was not cancelled when a termination signal was
sent. This was causing a crash in some cases. This patch fixes this
by canceling the thread when a SIGTERM or SIGINT signal is received.
|
|
|
|
|
|
|
| |
pp_print macro was not correctly formatting u64. This patch renames
it to pp_print_u as it is only used to print integer. It also use
the PRIu* macros to have a correct format string for all integers
type.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Kernel and libnetfilter_conntrack counters are 64bit,
so use 64bit too in ulogd instead of 32bit.
Worked fine on little endian systems but big endian systems
had zero counter...
Didn't test ipfix output, but RFC allows template with
either 32 or 64 counters, so should be safe.
Signed-off-by: Ulrich Weber <uw@xyne.com>
Signed-off-by: Eric Leblond <eric@regit.org>
|
| |
|
|
|
|
|
|
|
| |
The handling of signal when using threads can be complicated. When
ring buffer is used for query, this means ulogd will have to follow
some sort of mutex. Thus, it is easier and better performance wise
to disable the reload via SIGHUP when the ring buffer is used.
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds an optional ring buffer option which modify
the way database queries are made. The main thread is only handling
kernel message reading and query formatting. The SQL request is made
in a separate dedicated thread.
The idea is to try to avoid buffer overrun by minimizing the time
requested to treat kernel message. Doing synchronous SQL request, as
it was made before was causing a delay which could cause some messages
to be lost in case of burst from kernel side.
|
|
|
|
|
| |
Use an offset approach to get the start of values printing area. It
is more generic and will be use soon.
|
|
|
|
|
| |
The field is currently only used in a single function as a string
pointer and can thus be removed from the db instance structure.
|
|
|
|
|
|
|
| |
This patch is adding a mechanism to store query in a backlog build
in memory. This allow to store events during downtime in memory and
realize the effective insertion when the database comes back.
A memory cap is used to avoid any memory flooding.
|
|
|
|
|
| |
It seems Z is a libc5 only format modifier. Using standard 'z'
instead.
|
|
|
|
| |
This patch also update some copyright and licence declaration.
|
|
|
|
|
| |
Rename internal keyname ip6.payload_len to remove "_"
to facilitate this.
|
|
|
|
|
|
|
|
|
|
|
| |
MySQL stored procedures must be invoked by the "CALL" SQL command and
not by "SELECT". Add the convention that if the procedure name starts
with "CALL", then the issued SQL command is "CALL procedurename(args)".
The stored procedure support in MySQL automatically brings transaction
support too.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
|
| |
This patch fixes the handling of SIGHUP when a SQL plugin is used. A
freed structure was previoulsy used to build the request and this was
leading to a crash.
|
|
|
|
|
|
|
| |
When procedure begins with INSERT* (without space), it considers it as an
INSERT statement.
Signed-off-by: Romain Bignon <romain@inl.fr>
|
|
|
|
|
| |
This patch modifies the procedure name parsing to be able to specify a
complete INSERT command.
|
|
|
|
| |
This patches frees an allocated buffer when ulogd is quitting.
|
|
|
|
|
|
|
|
|
| |
If the procedure name specified in configuration is INSERT, than use
a regular insertion instead of a stored procedure.
This should be used when performance is needed, with a flat SQL schema,
to reduce the cost of SQL procedure calls.
Signed-off-by: Pierre Chifflier <chifflier@inl.fr>
|
|
|
|
|
|
| |
This patch modifies PRINTPKT plugin to add SCTP support.
Signed-off-by: Eric Leblond <eric@inl.fr>
|
|
|
|
|
|
|
|
|
| |
This patch cleans up the current key assignation by introducing a
set of functions ukey_* to set the key value as Eric Leblond and
we discussed during the latest Netfilter Workshop. This patch is
based on an idea from Holger Eitzenberger.
Signed-off-by: Eric Leblond <eric@inl.fr>
|
|
|
|
|
|
|
| |
This patch fixes a multiple definition of the key TCP_URG.
Signed-off-by: Eric Leblond <eric@inl.fr>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch uses PRIu64 and PRId64 macros from inttypes.h to have a correct
definition of 64 bit integer format for 64bits and 32bits arch.
Signed-off-by: Eric Leblond <eric@inl.fr>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch cast to (char *) some (void *) to avoid a gcc warning in
string format parsing.
Signed-off-by: Eric Leblond <eric@inl.fr>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org
|
|
|
|
|
|
| |
This patch fixes the warning related to signed and unsigned comparaison.
Signed-off-by: Eric Leblond <eric@inl.fr>
|
|
|
|
|
|
|
|
|
| |
This patch fixes some gcc warnings:
* Unused variables
* Functions with wrong return (or without return)
Signed-off-by: Eric Leblond <eric@inl.fr>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch fixes a trivial typo.
Signed-off-by: Eric Leblond <eric@inl.fr>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch fixes the computation of the allocation size for the query.
It was not taking into account the length of the name of the procedure.
Signed-off-by: Eric Leblond <eric@inl.fr>
|
| |
|
|
|
|
|
| |
I have no idea what the intention behind this change was, but it
seems bogus, the output format should (mostly) match ipt_LOG.
|
|
|
|
|
|
| |
have now to be used with a defined IP storage type.
Signed-off-by: Eric Leblond <eric@inl.fr>
|
|
|
|
|
|
| |
detection.
Signed-off-by: Eric Leblond <eric@inl.fr>
|
|
|
|
|
|
|
| |
This patch change the input key of the module to use conversion made by the
IP2STR module.
Signed-off-by: Eric Leblond <eric@inl.fr>
|
|
|
|
|
|
| |
misbehaviour was also causing to read datas out of the correct range.
Signed-off-by: Eric Leblond <eric@inl.fr>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the db.c file for PgSQL and MySQL. In case of problem during request execution
a new connection to the database was immediatly started without closing the
previous one. The consequence was to block the database by having too much
simultaneous open connections.
This patch fixes the problem by disconnectinng from the database after a
request failure and trying to reconnect after a delay which is by default
of 2 secondes. This delay can be customized via the reconnect configuration
variable in the database configuration section.
Signed-off-by: Eric Leblond <eric@inl.fr>
|
|
|
|
|
|
|
|
|
|
| |
to display event type in textual output modules. Here's an output example:
[DESTROY] ORIG: SRC=192.168.1.2 DST=192.168.1.255 PROTO=UDP SPT=631 DPT=631 \\
PKTS=1 BYTES=197 , REPLY: SRC=192.168.1.255 DST=192.168.1.2 \\
PROTO=UDP SPT=631 DPT=631 PKTS=0 BYTES=0
Signed-off-by: Eric Leblond <eric@inl.fr>
|
|
|
|
|
|
|
|
|
|
|
| |
can be use by MySQL. This is not strictly speaking raw data but it was of type
RAW.
Following remark from Hugo Mildenberger, I introduce in this patch a dedicated
type ULOGD_RET_RAWSTR. The main reason not to use a ULOGD_RET_STRING parameter
is that the paramater is not human readable.
Signed-off-by: Eric Leblond <eric@inl.fr>
|
|
|
|
|
|
| |
to form log lines for packets coming from ebtables. Currently it supports IPv4, IPv6 and ARP.
Signed-off-by: Peter Warasin <peter@endian.com>
|
|
|
|
| |
Add UID display to PRINTPKT filter.
|
|
|
|
|
|
|
| |
Some macros were defined several time. This was the case of GET_VALUE,
pp_is_valid. This patch puts the definition in ulogd.h and fixes the
definition of pp_is_valid which was wrong (causing segfault by acessing to
fields at NULL).
|
|
|
|
|
| |
MySQL need no to be able to print RAW data to be able to display
IP addresses.
|
|
|
|
|
| |
- This patch suppress key relative to IPv6 address because IPv4 and IPv6 can be stored in the same key.
- Add missing IP2STR line to ulogd.conf.in
|
|
|
|
|
| |
This patch update the printflow output module to be able to print a
whole conntrack entry on a single line.
|
|
|
|
| |
This patch clarifies code which will be modified in next patch.
|
|
|
|
|
|
|
|
|
| |
This patch adds new SQL schema for MySQL and PGsql. The goal is to improve the one line per entry format. There is no more a big table with all fields because this sort of storage is causing bad performance (databases don't like to have a lot of NULL fields to store).
Main changes are :
* Add new schema for MySQL and PGsql
* Use call to configurable procedure in SQL OUTPUT modules
* Arguments of a procedure are given by the list of fields of a selected table
|
|
|
|
|
|
|
|
|
|
| |
The following patch fixes MySQL and Pgsql output modules.
The callback function was not correctly initialized and this was leading
to a crash by calling the a NULL function. This patch correctly inits
the callback.
Eric Leblond <eric@inl.fr>
|
|
|
|
|
| |
repeat by using symbolic names to make sure the assignment matches the array
index.
|
|
|
|
| |
output is compatible with the SYSLOG and LOGEMU plugins. (Philip Craig)
|