# Example configuration for ulogd # $Id$ # Adapted to Debian by Achilleas Kotsis [global] ###################################################################### # GLOBAL OPTIONS ###################################################################### # logfile for status messages logfile="/var/log/ulogd.log" # loglevel: debug(1), info(3), notice(5), error(7) or fatal(8) loglevel=1 # socket receive buffer size (should be at least the size of the # in-kernel buffer (ipt_ULOG.o 'nlbufsiz' parameter) rmem=131071 # libipulog/ulogd receive buffer size, should be > rmem bufsize=150000 ###################################################################### # PLUGIN OPTIONS ###################################################################### # We have to configure and load all the plugins we want to use # general rules: # 1. load the plugins _first_ from the global section # 2. options for each plugin in seperate section below plugin="@libdir@/ulogd/ulogd_inppkt_NFLOG.so" #plugin="@libdir@/ulogd/ulogd_inppkt_ULOG.so" plugin="@libdir@/ulogd/ulogd_inpflow_NFCT.so" plugin="@libdir@/ulogd/ulogd_filter_IFINDEX.so" plugin="@libdir@/ulogd/ulogd_filter_IP2STR.so" plugin="@libdir@/ulogd/ulogd_filter_IP2BIN.so" plugin="@libdir@/ulogd/ulogd_filter_PRINTPKT.so" plugin="@libdir@/ulogd/ulogd_filter_MAC2STR.so" plugin="@libdir@/ulogd/ulogd_filter_PRINTFLOW.so" #plugin="@libdir@/ulogd/ulogd_filter_MARK.so" plugin="@libdir@/ulogd/ulogd_output_LOGEMU.so" plugin="@libdir@/ulogd/ulogd_output_SYSLOG.so" #plugin="@libdir@/ulogd/ulogd_output_OPRINT.so" #plugin="@libdir@/ulogd/ulogd_output_NACCT.so" #plugin="@libdir@/ulogd/ulogd_output_PCAP.so" #plugin="@libdir@/ulogd/ulogd_output_PGSQL.so" #plugin="@libdir@/ulogd/ulogd_output_MYSQL.so" plugin="@libdir@/ulogd/ulogd_raw2packet_BASE.so" # this is a stack for IPv4 packet-based logging via LOGEMU #stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU # this is a stack for IPv6 packet-based logging via LOGEMU #stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU # this is a stack for ebtables packet-based logging via LOGEMU #stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU # this is a stack for ULOG packet-based logging via LOGEMU #stack=ulog1:ULOG,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU # this is a stack for IPv4 packet-based logging via LOGEMU with filtering on MARK #stack=log1:NFLOG,mark1:MARK,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU # this is a stack for flow-based logging via LOGEMU #stack=ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,emu1:LOGEMU # this is a stack for flow-based logging via OPRINT #stack=ct1:NFCT,op1:OPRINT # this is a stack for NFLOG packet-based logging to PCAP #stack=log1:NFLOG,base1:BASE,pcap1:PCAP # this is a stack for logging packet to MySQL #stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2bin1:IP2BIN,mac2str1:MAC2STR,mysql1:MYSQL # this is a stack for logging IPv6 packet to PGsql after a collect via NFLOG #stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:MAC2STR,pgsql1:PGSQL # this is a stack for logging ebtables packets to syslog after a collect via NFLOG #stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG # this is a stack for flow-based logging to MySQL #stack=ct1:NFCT,ip2bin1:IP2BIN,mysql2:MYSQL # this is a stack for flow-based logging to PGSQL #stack=ct1:NFCT,ip2str1:IP2STR,pgsql2:PGSQL # this is a stack for flow-based logging to PGSQL without local hash #stack=ct1:NFCT,ip2str1:IP2STR,pgsql3:PGSQL # this is a stack for flow-based logging in NACCT compatible format #stack=ct1:NFCT,ip2str1:IP2STR,nacct1:NACCT [ct1] #netlink_socket_buffer_size=217088 #netlink_socket_buffer_maxsize=1085440 [ct2] #netlink_socket_buffer_size=217088 #netlink_socket_buffer_maxsize=1085440 hash_enable=0 # IPv4 logging through NFLOG [log1] # netlink multicast group (the same as the iptables --nflog-group param) group=0 #netlink_socket_buffer_size=217088 #netlink_socket_buffer_maxsize=1085440 # IPv6 logging through NFLOG [log2] group=1 # Group has to be different from the one use in log1 addressfamily=10 # 10 is value of AF_INET6 numeric_label=1 # you can label the log info based on the packet verdict # ebtables logging through NFLOG [log3] group=2 # Group has to be different from the one use in log1/log2 addressfamily=7 # 7 is value of AF_BRIDGE [ulog1] # netlink multicast group (the same as the iptables --ulog-nlgroup param) nlgroup=1 #numeric_label=0 # optional argument [emu1] file="/var/log/ulogd_syslogemu.log" sync=1 [op1] file="/var/log/ulogd_oprint.log" sync=1 [pcap1] sync=1 [mysql1] db="nulog" host="localhost" user="nupik" table="ulog" pass="changeme" procedure="INSERT_PACKET_FULL" [mysql2] db="nulog" host="localhost" user="nupik" table="ulog" pass="changeme" procedure="INSERT_CT" [pgsql1] db="nulog" host="localhost" user="nupik" table="ulog" pass="changeme" procedure="INSERT_PACKET_FULL" [pgsql2] db="nulog" host="localhost" user="nupik" table="ulog2_ct" pass="changeme" procedure="INSERT_CT" [pgsql3] db="nulog" host="localhost" user="nupik" table="ulog2_ct" pass="changeme" procedure="INSERT_OR_REPLACE_CT" [sys2] facility=LOG_LOCAL2 [nacct1] sync = 1 [mark1] mark = 1