diff options
| author | Patrick McHardy <kaber@trash.net> | 2008-05-18 18:35:35 +0200 |
|---|---|---|
| committer | Patrick McHardy <kaber@trash.net> | 2008-05-18 18:35:35 +0200 |
| commit | 835110044bd970518e10b28348ce6619818ce363 (patch) | |
| tree | 76abdc04a3b9b8a29e3daded34cb2779a939df9b /doc | |
| parent | dce17ab4526920f1930f1fee4245ea66c33093ec (diff) | |
Remove obsolete patches and files and move ulogd to repository top-level directory
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/Makefile.in | 51 | ||||
| -rw-r--r-- | doc/mysql.table | 55 | ||||
| -rw-r--r-- | doc/mysql.table.ipaddr-as-string | 58 | ||||
| -rw-r--r-- | doc/pgsql.table | 81 | ||||
| -rw-r--r-- | doc/sqlite3.table | 22 | ||||
| -rw-r--r-- | doc/ulogd.html | 421 | ||||
| -rw-r--r-- | doc/ulogd.sgml | 449 |
7 files changed, 1137 insertions, 0 deletions
diff --git a/doc/Makefile.in b/doc/Makefile.in new file mode 100644 index 0000000..e6c71a9 --- /dev/null +++ b/doc/Makefile.in @@ -0,0 +1,51 @@ +#! /usr/bin/make +# this file is shamelessly stolen from the iptables CVS tree + +LANG_DIRS:= + +HOWTOS:=$(wildcard *.sgml) +HOWTOS+=$(foreach dir, $(LANG_DIRS), $(wildcard $(dir)/*.sgml)) + +TXT_HOWTOS:=$(HOWTOS:.sgml=.txt) +HTML_HOWTOS:=$(HOWTOS:.sgml=.html) +PSA4_HOWTOS:=$(HOWTOS:.sgml=.a4.ps) +PSUS_HOWTOS:=$(HOWTOS:.sgml=.letter.ps) + +HOWTO_FLAGS_it/=-c latin -l it +HOWTO_FLAGS_fr/=-c latin -l fr + +user_calls_make: + +distrib: $(TXT_HOWTOS) $(PSA4_HOWTOS) $(HTML_HOWTOS) + +HOWTOs: $(TXT_HOWTOS) $(HTML_HOWTOS) $(PSA4_HOWTOS) $(PSUS_HOWTOS) + +# Remake all if Makefile changes. +$(TXT_HOWTOS) $(HTML_HOWTOS) $(PSA4_HOWTOS) $(PSUS_HOWTOS): Makefile + +# Stupid sgml2* tools strip dirnames for output files. 8( +%.txt: %.sgml + @echo Making $@: && cd `dirname $<` && sgml2txt --filter $(HOWTO_FLAGS_$(dir $<)) `basename $<` 2>&1 | sed "s?^<standard input>:\([0-9]*\):[^ ]* ?$<:\1:?" + +%.a4.dvi: %.sgml + @echo Making $@: && cd `dirname $<` && sgml2latex --papersize=a4 --output=dvi $(HOWTO_FLAGS_$(dir $<)) `basename $<` 2>&1 | sed "s?^<standard input>:\([0-9]*\):[^ ]* ?$<:\1:?" && mv `basename $*.dvi` `basename $*.a4.dvi` + +%.a4.ps: %.a4.dvi + @dvips -t a4 -o $@ $< + +%.letter.dvi: %.sgml + @echo Making $@: && cd `dirname $<` && sgml2latex --papersize=letter --output=dvi $(HOWTO_FLAGS_$(dir $<)) `basename $<` 2>&1 | sed "s?^<standard input>:\([0-9]*\):[^ ]* ?$<:\1:?" && mv `basename $*.dvi` `basename $*.letter.dvi` + +%.letter.ps: %.letter.dvi + @dvips -t letter -o $@ $< + +%.html: %.sgml + @echo Making $@: && cd `dirname $<` && sgml2html -s 0 $(HOWTO_FLAGS_$(dir $<)) `basename $<` 2>&1 | sed "s?^<standard input>:\([0-9]*\):[^ ]* ?$<:\1:?" + +clean: +# for d in . $(LANG_DIRS); do rm -f $$d/*.html $$d/*.ps $$d/*.aux $$d/*.log $$d/*.txt $$d/*~; done + +distclean: + rm -f Makefile + +install: diff --git a/doc/mysql.table b/doc/mysql.table new file mode 100644 index 0000000..bdfee71 --- /dev/null +++ b/doc/mysql.table @@ -0,0 +1,55 @@ +CREATE TABLE ulog ( id INT UNSIGNED AUTO_INCREMENT UNIQUE, + + raw_mac VARCHAR(80), + + oob_time_sec INT UNSIGNED, + oob_time_usec INT UNSIGNED, + oob_prefix VARCHAR(32), + oob_mark INT UNSIGNED, + oob_in VARCHAR(32), + oob_out VARCHAR(32), + + ip_saddr INT UNSIGNED, + ip_daddr INT UNSIGNED, + ip_protocol TINYINT UNSIGNED, + ip_tos TINYINT UNSIGNED, + ip_ttl TINYINT UNSIGNED, + ip_totlen SMALLINT UNSIGNED, + ip_ihl TINYINT UNSIGNED, + ip_csum SMALLINT UNSIGNED, + ip_id SMALLINT UNSIGNED, + ip_fragoff SMALLINT UNSIGNED, + + tcp_sport SMALLINT UNSIGNED, + tcp_dport SMALLINT UNSIGNED, + tcp_seq INT UNSIGNED, + tcp_ackseq INT UNSIGNED, + tcp_window SMALLINT UNSIGNED, + tcp_urg TINYINT, + tcp_urgp SMALLINT UNSIGNED, + tcp_ack TINYINT, + tcp_psh TINYINT, + tcp_rst TINYINT, + tcp_syn TINYINT, + tcp_fin TINYINT, + + udp_sport SMALLINT UNSIGNED, + udp_dport SMALLINT UNSIGNED, + udp_len SMALLINT UNSIGNED, + + icmp_type TINYINT UNSIGNED, + icmp_code TINYINT UNSIGNED, + icmp_echoid SMALLINT UNSIGNED, + icmp_echoseq SMALLINT UNSIGNED, + icmp_gateway INT UNSIGNED, + icmp_fragmtu SMALLINT UNSIGNED, + + pwsniff_user VARCHAR(30), + pwsniff_pass VARCHAR(30), + + ahesp_spi INT UNSIGNED, + + KEY index_id (id) + ); + + diff --git a/doc/mysql.table.ipaddr-as-string b/doc/mysql.table.ipaddr-as-string new file mode 100644 index 0000000..4a9cecc --- /dev/null +++ b/doc/mysql.table.ipaddr-as-string @@ -0,0 +1,58 @@ +# MySQL dump 7.1 +# +# Host: localhost Database: ulogd +#-------------------------------------------------------- +# Server version 3.22.32 + +# This table is intended for use with older MySQL-Servers and +# the --with-mysql-log-ip-as-string feature. It will not work +# without that feature. +# +# Table structure for table 'ulog' +# +CREATE TABLE ulog ( + id int(10) unsigned NOT NULL auto_increment, + raw_mac varchar(80), + oob_time_sec int(10) unsigned, + oob_time_usec int(10) unsigned, + oob_prefix varchar(32), + oob_mark int(10) unsigned, + oob_in varchar(32), + oob_out varchar(32), + ip_saddr varchar(16), + ip_daddr varchar(16), + ip_protocol tinyint(3) unsigned, + ip_tos tinyint(3) unsigned, + ip_ttl tinyint(3) unsigned, + ip_totlen smallint(5) unsigned, + ip_ihl tinyint(3) unsigned, + ip_csum smallint(5) unsigned, + ip_id smallint(5) unsigned, + ip_fragoff smallint(5) unsigned, + tcp_sport smallint(5) unsigned, + tcp_dport smallint(5) unsigned, + tcp_seq int(10) unsigned, + tcp_ackseq int(10) unsigned, + tcp_window smallint(5) unsigned, + tcp_urg tinyint(4), + tcp_urgp smallint(5) unsigned, + tcp_ack tinyint(4), + tcp_psh tinyint(4), + tcp_rst tinyint(4), + tcp_syn tinyint(4), + tcp_fin tinyint(4), + udp_sport smallint(5) unsigned, + udp_dport smallint(5) unsigned, + udp_len smallint(5) unsigned, + icmp_type tinyint(3) unsigned, + icmp_code tinyint(3) unsigned, + icmp_echoid smallint(5) unsigned, + icmp_echoseq smallint(5) unsigned, + icmp_gateway int(10) unsigned, + icmp_fragmtu smallint(5) unsigned, + pwsniff_user varchar(30), + pwsniff_pass varchar(30), + ahesp_spi int(10) unsigned, + PRIMARY KEY (id) +); + diff --git a/doc/pgsql.table b/doc/pgsql.table new file mode 100644 index 0000000..193f747 --- /dev/null +++ b/doc/pgsql.table @@ -0,0 +1,81 @@ +/* ulogd.pgsql.table, Version 0.1 + * + * sample of a postgres table for ulogd + * + * All columns except "id" are optional! Comment all unwanted + * columns out, e.g. by prefixing them with '--' + * + * "raw_pkt" is not supported by ulogd_PGSQL + */ + +CREATE SEQUENCE "seq_ulog"; + +CREATE TABLE "ulog" ( + "id" integer DEFAULT nextval('seq_ulog') NOT NULL, + + "oob_prefix" character varying(32), + "oob_time_sec" integer, + "oob_time_usec" integer, + "oob_mark" bigint, + "oob_in" character varying(32), + "oob_out" character varying(32), + + "raw_mac" character varying(80), + "raw_pktlen" bigint, + + "ip_ihl" smallint, + "ip_tos" smallint, + "ip_totlen" integer, + "ip_id" integer, + "ip_fragoff" integer, + "ip_ttl" smallint, + "ip_protocol" smallint, + "ip_csum" integer, + +/* log IPs as unsigned int32 (default) */ + "ip_saddr" bigint, + "ip_daddr" bigint, + +/* log IPs as string (--with-pgsql-log-ip-as-string) */ +-- "ip_saddr" character varying(40), +-- "ip_daddr" character varying(40), + +/* log IPs as inet (--with-pgsql-log-ip-as-string) */ +-- "ip_saddr" inet, +-- "ip_daddr" inet, + + + "tcp_sport" integer, + "tcp_dport" integer, + "tcp_seq" bigint, + "tcp_ackseq" bigint, + "tcp_urg" boolean, + "tcp_ack" boolean, + "tcp_psh" boolean, + "tcp_rst" boolean, + "tcp_syn" boolean, + "tcp_fin" boolean, + "tcp_window" integer, + "tcp_urgp" integer, + + "udp_sport" integer, + "udp_dport" integer, + "udp_len" integer, + + "icmp_type" smallint, + "icmp_code" smallint, + "icmp_echoid" integer, + "icmp_echoseq" integer, + "icmp_gateway" bigint, + "icmp_fragmtu" integer, + + "pwsniff_user" character varying(30), + "pwsniff_pass" character varying(30), + + "ahesp_spi" smallint, + + "local_time" bigint, + "local_hostname" character varying(40) +); + + diff --git a/doc/sqlite3.table b/doc/sqlite3.table new file mode 100644 index 0000000..7b5e99a --- /dev/null +++ b/doc/sqlite3.table @@ -0,0 +1,22 @@ +CREATE TABLE ulog ( + raw_mac VARCHAR(80), + oob_time_sec INT UNSIGNED, + oob_time_usec INT UNSIGNED, + ip_saddr INT UNSIGNED, + ip_daddr INT UNSIGNED, + ip_protocol TINYINT UNSIGNED, + ip_totlen SMALLINT UNSIGNED, + tcp_sport SMALLINT UNSIGNED, + tcp_dport SMALLINT UNSIGNED, + udp_sport SMALLINT UNSIGNED, + udp_dport SMALLINT UNSIGNED, + udp_len SMALLINT UNSIGNED, + icmp_type TINYINT UNSIGNED, + icmp_code TINYINT UNSIGNED, + icmp_echoid SMALLINT UNSIGNED, + icmp_echoseq SMALLINT UNSIGNED, + icmp_gateway INT UNSIGNED, + icmp_fragmtu SMALLINT UNSIGNED + ); + + diff --git a/doc/ulogd.html b/doc/ulogd.html new file mode 100644 index 0000000..8bf7fed --- /dev/null +++ b/doc/ulogd.html @@ -0,0 +1,421 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> +<HTML> +<HEAD> + <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.21"> + <TITLE>ULOGD - the Userspace Logging Daemon</TITLE> +</HEAD> +<BODY> +<H1>ULOGD - the Userspace Logging Daemon</H1> + +<H2>Harald Welte <laforge@gnumonks.org></H2>Revision $Revision: 803 $, $Date: 2005-04-18 16:21:17 +0200 (Mon, 18 Apr 2005) $ +<HR> +<EM>This is the documentation for <CODE>ulogd</CODE>, the Userspace logging daemon. +ulogd makes use of the Linux >= 2.4.x packet filter subsystem (iptables) and +the ULOG target for iptables.</EM> +<HR> +<H2><A NAME="s1">1. DESIGN</A></H2> + +<H2><A NAME="ss1.1">1.1 CONCEPT</A> +</H2> + +<P>I want to provide a flexible, almost universal logging daemon for my netfilter +ULOG target. It is not optimized in any way, the goal is to keep as simple as +possible. These are my thoughts about how the architecture which is most +capable of doing that:</P> +<P> +<DL> +<DT><B>Interpreter lugins</B><DD><P>It should be possible to add plugins / runtime modules for new protocols, etc. +For example the standard logging daemon provides source-ip, dest-ip, +source-port, dest-port, etc. Logging for variuos other protocols (GRE, +IPsec, ...) may be implemented as modules.</P> + +<DT><B>Output plugins</B><DD><P>... describe how and where to put the information gained by logging plugins. +The easiest way is to build a line per packet and fprint it to a file. +Some people might want to log into a SQL database or want an output +conforming to the intrusion detection systems communication draft from the +IETF.</P> + +</DL> +</P> + +<H2><A NAME="ss1.2">1.2 DETAILS</A> +</H2> + +<P>The major clue is providing a framework which is as flexible as possible. +Nobody knows what strange network protocols are out there :) Flexibility +depends on the communication between the output of the logging plugins +and input of the output plugins.</P> +<P>Rusty advised me to use some kind of type-key-value triples, which is in fact +what I implemented.</P> +<P>One issue is, of course, performance. Up to ulogd 0.3, ulogd did several +linked list iterations and about 30 malloc() calls _per packet_. This +changed with the new >= 0.9 revisions: +<UL> +<LI>Not a single dynamic allocation in the core during runtime. +Everything is pre-allocated at start of ulogd to provide the highest +possible throughput.</LI> +<LI>Hash tables in addition to the linked lists. Linked lists are only +traversed if we really want to access each element of the list.</LI> +</UL> +</P> + +<H2><A NAME="s2">2. INSTALLATION</A></H2> + + +<H2><A NAME="ss2.1">2.1 Linux kernel</A> +</H2> + +<P>First you will need a recent 2.4.x kernel. If you have a kernel >= +2.4.18-pre8, it already has the kernel suport for ULOG (ipt_ULOG.o).</P> +<P>If you have an older kernel version (between 2.4.0 and 2.4.18-pre6), you +can use the patch-o-matic system of netfilter/iptables, as described in +the following section.</P> + +<H2><A NAME="ss2.2">2.2 ipt_ULOG from netfilter/iptables patch-o-matic</A> +</H2> + +<P>You only need to read this chapter if you have a 2.4.x kernel <= +2.4.18-pre6.</P> +<P>In order to put the ipt_ULOG module into your kernel source,you need the latest +iptables package, or even better: the latest CVS snapshot. A description how to +obtain this is provided on the netfilter +homepage +<A HREF="http://www.netfilter.org/">http://www.netfilter.org/</A>.</P> +<P>To run patch-o-matic, just type +<BLOCKQUOTE><CODE> +<PRE> +make patch-o-matic +</PRE> +</CODE></BLOCKQUOTE> + +in the userspace directory of netfilter CVS.</P> + +<H2><A NAME="ss2.3">2.3 ulogd</A> +</H2> + +<H3>Recompiling the source</H3> + +<P>Download the ulogd package from +<A HREF="http://ftp.netfilter.org/pub/ulogd/">http://ftp.netfilter.org/pub/ulogd/</A> and +untar it. </P> +<P>If you want to build ulogd with MySQL support, type './configure --with-mysql'. You may also have to specify the path of the mysql libraries using '--with-mysql=path'. To build ulogd without MySQL support, just use './configure'.</P> +<P>To compile and install the program, call 'make install'.</P> + +<H3>Using a precompiled package</H3> + +<P>I also provide a SRPM, which should compile on almost any rpm-based distribution. It is available at +<A HREF="http://ftp.netfilter.org/pub/ulogd/">http://ftp.netfilter.org/pub/ulogd/</A></P> +<P>Just download the package and do the usual 'rpm --rebuild <file>'.</P> + +<H2><A NAME="s3">3. Configuration</A></H2> + +<H2><A NAME="ss3.1">3.1 iptables ULOG target</A> +</H2> + +<H3>Quick Setup</H3> + +<P>Just add rules using the ULOG target to your firewalling chain. A very basic +example: +<BLOCKQUOTE><CODE> +<PRE> +iptables -A FORWARD -j ULOG --ulog-nlgroup 32 --ulog-prefix foo +</PRE> +</CODE></BLOCKQUOTE> +</P> +<P>To increase logging performance, try to use the +<BLOCKQUOTE><CODE> +<PRE> +--ulog-qthreshold N +</PRE> +</CODE></BLOCKQUOTE> + +option (where 1 < N <= 50). The number you specify is the amout of packets +batched together in one multipart netlink message. If you set this to 20, the +kernel schedules ulogd only once every 20 packets. All 20 packets are then +processed by ulogd. This reduces the number of context switches between kernel +and userspace.</P> +<P>Of course you can combine the ULOG target with the different netfilter match +modules. For a more detailed description, have a look at the netfilter +HOWTO's, available on the netfilter homepage.</P> +<H3>ULOG target reference</H3> + +<P> +<DL> +<DT><B>--ulog-nlgroup N</B><DD><P>The number of the netlink multicast group to which ULOG'ed packets are sent. +You will have to use the same group number in the ULOG target and ulogd in +order to make logging work.</P> +<DT><B>--ulog-cprange N</B><DD><P>Copyrange. This works like the 'snaplen' paramter of tcpdump. You can specify +a number of bytes up to which the packet is copied. If you say '40', you will +receive the first fourty bytes of every packet. Leave it to '0'</P> +<DT><B>--ulog-qthreshold N</B><DD><P>Queue threshold. If a packet is matched by the iptables rule, and already N +packets are in the queue, the queue is flushed to userspace. You can use this +to implement a policy like: Use a big queue in order to gain high performance, +but still have certain packets logged immediately to userspace.</P> +<DT><B>--ulog-prefix STRING</B><DD><P>A string that is associated with every packet logged by this rule. You can use +this option to later tell from which rule the packet was logged.</P> +</DL> +</P> + +<H3>ipt_ULOG module parameters</H3> + +<P>The ipt_ULOG kernel module has a couple of module loadtime parameters which can +(and should) be tuned to accomodate the needs of the application: +<DL> +<DT><B>nlbufsiz N</B><DD><P>Netlink buffer size. A buffer of the specified size N is allocated for every +netlink group that is used. Please note that due to restrictions of the kernel +memory allocator, we cannot have a buffer size > 128kBytes. Larger buffer +sizes increase the performance, since less kernel/userspace context switches +are needed for the same amount of packets. The backside of this performance +gain is a potentially larger delay. The default value is 4096 bytes, which is +quite small.</P> +<DT><B>flushtimeout N</B><DD><P>The flushtimeout determines, after how many clock ticks (on alpha: 1ms, on +x86 and most other platforms: 10ms time units) the buffer/queue is to be +flushed, even if it is not full. This can be used to have the advantage of a +large buffer, but still a finite maximum delay introduced. The default value +is set to 10 seconds.</P> +</DL> + +Example: +<BLOCKQUOTE><CODE> +<PRE> +modprobe ipt_ULOG nlbufsiz=65535 flushtimeout=100 +</PRE> +</CODE></BLOCKQUOTE> + +This would use a buffer size of 64k and a flushtimeout of 100 clockticks (1 second on x86).</P> + +<H2><A NAME="ss3.2">3.2 ulogd</A> +</H2> + +<P>ulogd is what this is all about, so let's describe it's configuration...</P> +<H3>ulogd configfile syntax reference</H3> + +<P>All configurable parameters of ulogd are in the configfile, typically located +at '/etc/ulogd.conf'.</P> +<P>The following configuration parameters are available: +<DL> +<DT><B>nlgroup</B><DD><P>The netlink multicast group, which ulgogd should bind to. This is the same as +given with the '--ulog-nlgroup' option to iptables.</P> +<DT><B>logfile</B><DD><P>The main logfile, where ulogd reports any errors, warnings and other unexpected conditions. Apart from a regular filename, the following special values can be used; ``syslog'' to log via the unix syslog(3) mechanism. ``stdout'' to log to stdout.</P> +<DT><B>loglevel</B><DD><P>This specifies, how verbose the logging to logfile is. Currently defined +loglevels are: 1=debug information, 3=informational messages, 5=noticable +exceptional conditions, 7=error conditions, 8=fatal errors, program abort.</P> +<DT><B>plugin</B><DD><P>This option is followed by a filename of a ulogd plugin, which ulogd shold load +upon initialization. This option may appear more than once.</P> +<DT><B>rmem</B><DD><P>Size of the netlink socket receive memory. You should set this to at least the +size of the kernel buffer (nlbufsiz parameter of the ipt_ULOG module). Please +note that there is a maximum limit in /proc/sys/net/core/rmem_max which you +cannot exceed by increasing the ``rmem'' parameter. You may need to raise the +system-wide maximum limit before.</P> +<DT><B>bufsize</B><DD><P>Size of the receive buffer. You should set this to at least the socket receive buffer (rmem).</P> +</DL> +</P> +<H3>ulogd commandline option reference</H3> + +<P>Apart from the configfile, there are a couple of commandline options to ulogd: +<DL> +<DT><B>-h --help</B><DD><P>Print a help message about the commandline options.</P> +<DT><B>-V --version</B><DD><P>Print version information about ulogd.</P> +<DT><B>-d --daemon</B><DD><P>For off into daemon mode. Unless you are debugging, you will want to use this +most of the time.</P> +<DT><B>-c --configfile</B><DD><P>Using this commandline option, an alternate config file can be used. This is +important if multiple instances of ulogd are to be run on a single machine.</P> +</DL> +</P> + +<H2><A NAME="s4">4. Available plugins</A></H2> + +<P>It is important to understand that ulogd without plugins does nothing. It will receive packets, and do nothing with them.</P> +<P>There are two kinds of plugins, interpreter and output plugins. Interpreter +plugins parse the packet, output plugin write the interpreted information to +some logfile/database/...</P> + +<H2><A NAME="ss4.1">4.1 Interpreter plugins</A> +</H2> + +<P>ulogd comes with the following interpreter plugins:</P> +<H3>ulogd_BASE.so</H3> + +<P>Basic interpreter plugin for nfmark, timestamp, mac address, ip header, tcp +header, udp header, icmp header, ah/esp header... Most people will want to load +this very important plugin.</P> +<H3>ulogd_PWSNIFF.so</H3> + +<P>Example interpreter plugin to log plaintext passwords as used with FTP and +POP3. Don't blame me for writing this plugin! The protocols are inherently +insecure, and there are a lot of other tools for sniffing passwords... it's +just an example.</P> +<H3>ulogd_LOCAL.so</H3> + +<P>This is a 'virtual interpreter'. It doesn't really return any information on +the packet itself, rather the local system time and hostname. Please note that +the time is the time at the time of logging, not the packets receive time.</P> + +<H2><A NAME="ss4.2">4.2 Output plugins</A> +</H2> + +<P>ulogd comes with the following output plugins:</P> + +<H3>ulogd_OPRINT.so</H3> + +<P>A very simple output module, dumping all packets in the format +<BLOCKQUOTE><CODE> +<PRE> +===>PACKET BOUNDARY +key=value +key=value +... +===>PACKET BOUNDARY +... +</PRE> +</CODE></BLOCKQUOTE> + +to a file. The only useful application is debugging.</P> +<P>The module defines the following configuration directives: +<DL> +<DT><B>dumpfile</B><DD><P>The filename where it should log to. The default is +<CODE>/var/log/ulogd.pktlog</CODE></P> +</DL> +</P> + +<H3>ulogd_LOGEMU.so</H3> + +<P>An output module which tries to emulate the old syslog-based LOG targed as far +as possible. Logging is done to a seperate textfile instead of syslog, though.</P> +<P>The module defines the following configuration directives: +<DL> +<DT><B>file</B><DD><P>The filename where it should log to. The default is +<CODE>/var/log/ulogd.syslogemu</CODE></P> +<DT><B>sync</B><DD><P>Set this to 1 if you want to have your logfile written +synchronously. This may reduce performance, but makes your log-lines appear +immediately. The default is <CODE>0</CODE></P> +</DL> +</P> + +<H3>ulogd_MYSQL.so</H3> + +<P>An output plugin for logging into a mysql database. This is only compiled if +you have the mysql libraries installed, and the configure script was able to +detect them. (that is: --with-mysql was specified for ./configure) </P> + +<P>The plugin automagically inserts the data into the configured table; It +connects to mysql during the startup phase of ulogd and obtains a list of the +columns in the table. Then it tries to resolve the column names against keys of +interpreter plugins. This way you can easly select which information you want +to log - just by the layout of the table. </P> + +<P>If, for example, your table contains a field called 'ip_saddr', ulogd will +resolve this against the key 'ip.saddr' and put the ip address as 32bit +unsigned integer into the table. </P> + +<P>You may want to have a look at the file '<CODE>doc/mysql.table</CODE>' as an +example table including fields to log all keys from ulogd_BASE.so. Just delete +the fields you are not interested in, and create the table. </P> + +<P>The module defines the following configuration directives: +<DL> +<DT><B>table</B><DD><P>Name of the table to which ulogd should log</P> +<DT><B>ldb</B><DD><P>Name of the mysql database</P> +<DT><B>host</B><DD><P>Name of the mysql database host</P> +<DT><B>port</B><DD><P>TCP port number of mysql database server</P> +<DT><B>user</B><DD><P>Name of the mysql user</P> +<DT><B>pass</B><DD><P>Password for mysql</P> +</DL> +</P> + +<H3>ulogd_PGSQL.so</H3> + +<P>An output plugin for logging into a postgresql database. This is only compiled +if you have the mysql libraries installed, and the configure script was able to +detect them. (that is: --with-pgsql was specified for ./configure) </P> + +<P>The plugin automagically inserts the data into the configured table; It +connects to pgsql during the startup phase of ulogd and obtains a list of the +columns in the table. Then it tries to resolve the column names against keys of +interpreter plugins. This way you can easly select which information you want +to log - just by the layout of the table. </P> + +<P>If, for example, your table contains a field called 'ip_saddr', ulogd will +resolve this against the key 'ip.saddr' and put the ip address as 32bit +unsigned integer into the table. </P> + +<P>You may want to have a look at the file '<CODE>doc/mysql.table</CODE>' as an +example table including fields to log all keys from ulogd_BASE.so. Just delete +the fields you are not interested in, and create the table. </P> + +<P>The module defines the following configuration directives: +<DL> +<DT><B>table</B><DD><P>Name of the table to which ulogd should log</P> +<DT><B>db</B><DD><P>Name of the database</P> +<DT><B>host</B><DD><P>Name of the mysql database host</P> +<DT><B>port</B><DD><P>TCP port number of database server</P> +<DT><B>user</B><DD><P>Name of the sql user</P> +<DT><B>pass</B><DD><P>Password for sql user</P> +</DL> +</P> + +<H3>ulogd_PCAP.so</H3> + +<P>An output plugin that can be used to generate libpcap-style packet logfiles. +This can be useful for later analysing the packet log with tools like tcpdump +or ethereal.</P> +<P>The module defines the following configuration directives: +<DL> +<DT><B>file</B><DD><P>The filename where it should log to. The default is: +<CODE>/var/log/ulogd.pcap</CODE></P> +<DT><B>sync</B><DD><P>Set this to <CODE>1</CODE> if you want to have your pcap logfile written +synchronously. This may reduce performance, but makes your packets appear +immediately in the file on disk. The default is <CODE>0</CODE></P> +</DL> +</P> + +<H3>ulogd_SQLITE3.so</H3> + +<P>An output plugin for logging into a SQLITE v3 database. This is only compiled +if you have the sqlite libraries installed, and the configure script was able to +detect them. (that is: --with-sqlite3 was specified for ./configure) </P> + +<P>The plugin automagically inserts the data into the configured table; It +opens the sqlite db during the startup phase of ulogd and obtains a list of the +columns in the table. Then it tries to resolve the column names against keys of +interpreter plugins. This way you can easly select which information you want +to log - just by the layout of the table. </P> + +<P>If, for example, your table contains a field called 'ip_saddr', ulogd will +resolve this against the key 'ip.saddr' and put the ip address as 32bit +unsigned integer into the table. </P> + +<P>You may want to have a look at the file '<CODE>doc/sqlite3.table</CODE>' as an +example table including fields to log all keys from ulogd_BASE.so. Just delete +the fields you are not interested in, and create the table. </P> + +<P>The module defines the following configuration directives: +<DL> +<DT><B>table</B><DD><P>Name of the table to which ulogd should log</P> +<DT><B>db</B><DD><P>Name of the database</P> +<DT><B>buffer</B><DD><P>Size of the sqlite buffer</P> +</DL> +</P> +<H3>ulogd_SYSLOG.so</H3> + +<P>An output plugin that really logs via syslogd. Lines will look exactly like printed with traditional LOG target.</P> +<P>The module defines the following configuration directives: +<DL> +<DT><B>facility</B><DD><P>The syslog facility (LOG_DAEMON, LOG_KERN, LOG_LOCAL0 .. LOG_LOCAL7, LOG_USER)</P> +<DT><B>level</B><DD><P>The syslog level (LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO, LOG_DEBUG)</P> +</DL> +</P> +<H2><A NAME="s5">5. QUESTIONS / COMMENTS</A></H2> + +<P>All comments / questions / ... are appreciated.</P> +<P>Just drop me a note to laforge@gnumonks.org</P> +<P>Please note also that there is now a mailinglist, ulogd@lists.gnumonks.org. +You can subscribe at +<A HREF="http://lists.gnumonks.org/mailman/listinfo/ulogd/">http://lists.gnumonks.org/mailman/listinfo/ulogd/</A></P> +<P> +The preferred method for reporting bugs is the netfilter bugzilla system, +available at +<A HREF="http://bugzilla.netfilter.org/">http://bugzilla.netfilter.org/</A>.</P> + +</BODY> +</HTML> diff --git a/doc/ulogd.sgml b/doc/ulogd.sgml new file mode 100644 index 0000000..c019c63 --- /dev/null +++ b/doc/ulogd.sgml @@ -0,0 +1,449 @@ +<!doctype linuxdoc system> + +<!-- $Id$ --> + +<article> + +<title>ULOGD - the Userspace Logging Daemon</title> +<author>Harald Welte <laforge@gnumonks.org></author> +<date>Revision $Revision$, $Date$</date> + +<abstract> +This is the documentation for <tt>ulogd</tt>, the Userspace logging daemon. +ulogd makes use of the Linux >= 2.4.x packet filter subsystem (iptables) and +the ULOG target for iptables. +</abstract> + +<toc> + +<sect>DESIGN + +<sect1>CONCEPT +<p> +I want to provide a flexible, almost universal logging daemon for my netfilter +ULOG target. It is not optimized in any way, the goal is to keep as simple as +possible. These are my thoughts about how the architecture which is most +capable of doing that: +<p> +<descrip> +<tag>Interpreter plugins</tag> +It should be possible to add plugins / runtime modules for new protocols, etc. +For example the standard logging daemon provides source-ip, dest-ip, +source-port, dest-port, etc. Logging for various other protocols (GRE, +IPsec, ...) may be implemented as modules. + +<tag>Output plugins</tag> +... describe how and where to put the information gained by logging plugins. +The easiest way is to build a line per packet and fprint it to a file. +Some people might want to log into a SQL database or want an output +conforming to the intrusion detection systems communication draft from the +IETF. + +</descrip> + +<sect1>DETAILS +<p> +The major clue is providing a framework which is as flexible as possible. +Nobody knows what strange network protocols are out there :) Flexibility +depends on the communication between the output of the logging plugins +and input of the output plugins. +<p> +Rusty advised me to use some kind of type-key-value triples, which is in fact +what I implemented. +<p> +One issue is, of course, performance. Up to ulogd 0.3, ulogd did several +linked list iterations and about 30 malloc() calls _per packet_. This +changed with the new >= 0.9 revisions: +<itemize> +<item>Not a single dynamic allocation in the core during runtime. +Everything is pre-allocated at start of ulogd to provide the highest +possible throughput. +<item>Hash tables in addition to the linked lists. Linked lists are only +traversed if we really want to access each element of the list. +</itemize> + +<sect>INSTALLATION +<p> +<sect1>Linux kernel +<p> +First you will need a recent 2.4.x kernel. If you have a kernel >= +2.4.18-pre8, it already has the kernel support for ULOG (ipt_ULOG.o). +<p> +If you have an older kernel version (between 2.4.0 and 2.4.18-pre6), you +can use the patch-o-matic system of netfilter/iptables, as described in +the following section. + +<sect1>ipt_ULOG from netfilter/iptables patch-o-matic +<p> +You only need to read this chapter if you have a 2.4.x kernel <= +2.4.18-pre6. +<p> +In order to put the ipt_ULOG module into your kernel source,you need the latest +iptables package, or even better: the latest CVS snapshot. A description how to +obtain this is provided on the netfilter +homepage <URL URL="http://www.netfilter.org/">. +<p> +To run patch-o-matic, just type +<tscreen><verb> +make patch-o-matic +</verb></tscreen> +in the userspace directory of netfilter CVS. + +<sect1>ulogd +<sect2>Recompiling the source +<p> +Download the ulogd package from <URL URL="http://ftp.netfilter.org/pub/ulogd/"> and +untar it. +<p> +If you want to build ulogd with MySQL support, type './configure --with-mysql'. You may also have to specify the path of the mysql libraries using '--with-mysql=path'. To build ulogd without MySQL support, just use './configure'. +<p> +To compile and install the program, call 'make install'. + +<sect2>Using a precompiled package +<p> +I also provide a SRPM, which should compile on almost any rpm-based distribution. It is available at <URL URL="http://ftp.netfilter.org/pub/ulogd/"> +<p> +Just download the package and do the usual 'rpm --rebuild <file>'. + +<sect>Configuration +<sect1>iptables ULOG target +<sect2>Quick Setup +<p> +Just add rules using the ULOG target to your firewalling chain. A very basic +example: +<tscreen><verb> +iptables -A FORWARD -j ULOG --ulog-nlgroup 32 --ulog-prefix foo +</verb></tscreen> +<p> +To increase logging performance, try to use the +<tscreen><verb> +--ulog-qthreshold N +</verb></tscreen> +option (where 1 < N <= 50). The number you specify is the amount of packets +batched together in one multipart netlink message. If you set this to 20, the +kernel schedules ulogd only once every 20 packets. All 20 packets are then +processed by ulogd. This reduces the number of context switches between kernel +and userspace. +<p> +Of course you can combine the ULOG target with the different netfilter match +modules. For a more detailed description, have a look at the netfilter +HOWTO's, available on the netfilter homepage. +<sect2>ULOG target reference +<p> +<descrip> +<tag>--ulog-nlgroup N</tag> +The number of the netlink multicast group to which ULOG'ed packets are sent. +You will have to use the same group number in the ULOG target and ulogd in +order to make logging work. +<tag>--ulog-cprange N</tag> +Copyrange. This works like the 'snaplen' parameter of tcpdump. You can specify +a number of bytes up to which the packet is copied. If you say '40', you will +receive the first fourty bytes of every packet. Leave it to <tt>0</tt> +<tag>--ulog-qthreshold N</tag> +Queue threshold. If a packet is matched by the iptables rule, and already N +packets are in the queue, the queue is flushed to userspace. You can use this +to implement a policy like: Use a big queue in order to gain high performance, +but still have certain packets logged immediately to userspace. +<tag>--ulog-prefix STRING</tag> +A string that is associated with every packet logged by this rule. You can use +this option to later tell from which rule the packet was logged. +</descrip> + +<sect2>ipt_ULOG module parameters +<p> +The ipt_ULOG kernel module has a couple of module loadtime parameters which can +(and should) be tuned to accomodate the needs of the application: +<descrip> +<tag>nlbufsiz N</tag> +Netlink buffer size. A buffer of the specified size N is allocated for every +netlink group that is used. Please note that due to restrictions of the kernel +memory allocator, we cannot have a buffer size > 128kBytes. Larger buffer +sizes increase the performance, since less kernel/userspace context switches +are needed for the same amount of packets. The backside of this performance +gain is a potentially larger delay. The default value is 4096 bytes, which is +quite small. +<tag>flushtimeout N</tag> +The flushtimeout determines, after how many clock ticks (on alpha: 1ms, on +x86 and most other platforms: 10ms time units) the buffer/queue is to be +flushed, even if it is not full. This can be used to have the advantage of a +large buffer, but still a finite maximum delay introduced. The default value +is set to 10 seconds. +</descrip> +Example: +<tscreen><verb> +modprobe ipt_ULOG nlbufsiz=65535 flushtimeout=100 +</verb></tscreen> +This would use a buffer size of 64k and a flushtimeout of 100 clockticks (1 second on x86). + +<sect1>ulogd +<p> +ulogd is what this is all about, so let's describe it's configuration... +<sect2>ulogd configfile syntax reference +<p> +All configurable parameters of ulogd are in the configfile, typically located +at '/etc/ulogd.conf'. +<p> +The following configuration parameters are available: +<descrip> +<tag>nlgroup</tag> +The netlink multicast group, which ulgogd should bind to. This is the same as +given with the '--ulog-nlgroup' option to iptables. +<tag>logfile</tag> +The main logfile, where ulogd reports any errors, warnings and other unexpected conditions. Apart from a regular filename, the following special values can be used; ``syslog'' to log via the unix syslog(3) mechanism. ``stdout'' to log to stdout. +<tag>loglevel</tag> +This specifies, how verbose the logging to logfile is. Currently defined +loglevels are: 1=debug information, 3=informational messages, 5=noticable +exceptional conditions, 7=error conditions, 8=fatal errors, program abort. +<tag>plugin</tag> +This option is followed by a filename of a ulogd plugin, which ulogd shold load +upon initialization. This option may appear more than once. +<tag>rmem</tag> +Size of the netlink socket receive memory. You should set this to at least the +size of the kernel buffer (nlbufsiz parameter of the ipt_ULOG module). Please +note that there is a maximum limit in /proc/sys/net/core/rmem_max which you +cannot exceed by increasing the ``rmem'' parameter. You may need to raise the +system-wide maximum limit before. +<tag>bufsize</tag> +Size of the receive buffer. You should set this to at least the socket receive buffer (rmem). +</descrip> +<sect2>ulogd commandline option reference +<p> +Apart from the configfile, there are a couple of commandline options to ulogd: +<descrip> +<tag>-h --help</tag> +Print a help message about the commandline options. +<tag>-V --version</tag> +Print version information about ulogd. +<tag>-d --daemon</tag> +For off into daemon mode. Unless you are debugging, you will want to use this +most of the time. +<tag>-c --configfile</tag> +Using this commandline option, an alternate config file can be used. This is +important if multiple instances of ulogd are to be run on a single machine. +</descrip> + +<sect>Available plugins +<p> +It is important to understand that ulogd without plugins does nothing. It will receive packets, and do nothing with them. +<p> +There are two kinds of plugins, interpreter and output plugins. Interpreter +plugins parse the packet, output plugins write the interpreted information to +some logfile/database/... + +<sect1>Interpreter plugins +<p> +ulogd comes with the following interpreter plugins: +<sect2>ulogd_BASE.so +<p> +Basic interpreter plugin for nfmark, timestamp, mac address, ip header, tcp +header, udp header, icmp header, ah/esp header... Most people will want to load +this very important plugin. +<sect2>ulogd_PWSNIFF.so +<p> +Example interpreter plugin to log plaintext passwords as used with FTP and +POP3. Don't blame me for writing this plugin! The protocols are inherently +insecure, and there are a lot of other tools for sniffing passwords... it's +just an example. +<sect2>ulogd_LOCAL.so +<p> +This is a 'virtual interpreter'. It doesn't really return any information on +the packet itself, rather the local system time and hostname. Please note that +the time is the time at the time of logging, not the packets receive time. + +<sect1>Output plugins +<p> +ulogd comes with the following output plugins: + +<sect2>ulogd_OPRINT.so +<p> +A very simple output module, dumping all packets in the format +<tscreen><verb> +===>PACKET BOUNDARY +key=value +key=value +... +===>PACKET BOUNDARY +... +</verb></tscreen> +to a file. The only useful application is debugging. +<p>The module defines the following configuration directives: +<descrip> +<tag>dumpfile</tag> +The filename where it should log to. The default is +<tt>/var/log/ulogd.pktlog</tt> +</descrip> + +<sect2>ulogd_LOGEMU.so +<p> +An output module which tries to emulate the old syslog-based LOG targed as far +as possible. Logging is done to a seperate textfile instead of syslog, though. +<p> +The module defines the following configuration directives: +<descrip> +<tag>file</tag>The filename where it should log to. The default is +<tt>/var/log/ulogd.syslogemu</tt> +<tag>sync</tag>Set this to 1 if you want to have your logfile written +synchronously. This may reduce performance, but makes your log-lines appear +immediately. The default is <tt>0</tt> +</descrip> + +<sect2>ulogd_MYSQL.so +<p> +An output plugin for logging into a mysql database. This is only compiled if +you have the mysql libraries installed, and the configure script was able to +detect them. (that is: --with-mysql was specified for ./configure) + +<p> +The plugin automagically inserts the data into the configured table; It +connects to mysql during the startup phase of ulogd and obtains a list of the +columns in the table. Then it tries to resolve the column names against keys of +interpreter plugins. This way you can easily select which information you want +to log - just by the layout of the table. + +<p> +If, for example, your table contains a field called 'ip_saddr', ulogd will +resolve this against the key 'ip.saddr' and put the ip address as 32bit +unsigned integer into the table. + +<p> +You may want to have a look at the file '<tt>doc/mysql.table</tt>' as an +example table including fields to log all keys from ulogd_BASE.so. Just delete +the fields you are not interested in, and create the table. + +<p> +The module defines the following configuration directives: +<descrip> +<tag>table</tag> +Name of the table to which ulogd should log. +<tag>ldb</tag> +Name of the mysql database. +<tag>host</tag> +Name of the mysql database host. +<tag>port</tag> +TCP port number of mysql database server. +<tag>user</tag> +Name of the mysql user. +<tag>pass</tag> +Password for mysql. +</descrip> + +<sect2>ulogd_PGSQL.so +<p> +An output plugin for logging into a postgresql database. This is only compiled +if you have the mysql libraries installed, and the configure script was able to +detect them. (that is: --with-pgsql was specified for ./configure) + +<p> +The plugin automagically inserts the data into the configured table; It +connects to pgsql during the startup phase of ulogd and obtains a list of the +columns in the table. Then it tries to resolve the column names against keys of +interpreter plugins. This way you can easily select which information you want +to log - just by the layout of the table. + +<p> +If, for example, your table contains a field called 'ip_saddr', ulogd will +resolve this against the key 'ip.saddr' and put the ip address as 32bit +unsigned integer into the table. + +<p> +You may want to have a look at the file '<tt>doc/mysql.table</tt>' as an +example table including fields to log all keys from ulogd_BASE.so. Just delete +the fields you are not interested in, and create the table. + +<p> +The module defines the following configuration directives: +<descrip> +<tag>table</tag> +Name of the table to which ulogd should log. +<tag>db</tag> +Name of the database. +<tag>host</tag> +Name of the mysql database host. +<tag>port</tag> +TCP port number of database server. +<tag>user</tag> +Name of the sql user. +<tag>pass</tag> +Password for sql user. +</descrip> + +<sect2>ulogd_PCAP.so +<p> +An output plugin that can be used to generate libpcap-style packet logfiles. +This can be useful for later analysing the packet log with tools like tcpdump +or ethereal. + +The module defines the following configuration directives: +<descrip> +<tag>file</tag> +The filename where it should log to. The default is: +<tt>/var/log/ulogd.pcap</tt> +<tag>sync</tag> +Set this to <tt>1</tt> if you want to have your pcap logfile written +synchronously. This may reduce performance, but makes your packets appear +immediately in the file on disk. The default is <tt>0</tt> +</descrip> + +<sect2>ulogd_SQLITE3.so +<p> +An output plugin for logging into a SQLITE v3 database. This is only compiled +if you have the sqlite libraries installed, and the configure script was able to +detect them. (that is: --with-sqlite3 was specified for ./configure) + +<p> +The plugin automagically inserts the data into the configured table; It +opens the sqlite db during the startup phase of ulogd and obtains a list of the +columns in the table. Then it tries to resolve the column names against keys of +interpreter plugins. This way you can easily select which information you want +to log - just by the layout of the table. + +<p> +If, for example, your table contains a field called 'ip_saddr', ulogd will +resolve this against the key 'ip.saddr' and put the ip address as 32bit +unsigned integer into the table. + +<p> +You may want to have a look at the file '<tt>doc/sqlite3.table</tt>' as an +example table including fields to log all keys from ulogd_BASE.so. Just delete +the fields you are not interested in, and create the table. + +<p> +The module defines the following configuration directives: +<descrip> +<tag>table</tag> +Name of the table to which ulogd should log. +<tag>db</tag> +Name of the database. +<tag>buffer</tag> +Size of the sqlite buffer. +</descrip> +</sect2> + +<sect2>ulogd_SYSLOG.so +<p> +An output plugin that really logs via syslogd. Lines will look exactly like printed with traditional LOG target. + +<p> +The module defines the following configuration directives: +<descrip> +<tag>facility</tag> +The syslog facility (LOG_DAEMON, LOG_KERN, LOG_LOCAL0 .. LOG_LOCAL7, LOG_USER) +<tag>level</tag> +The syslog level (LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO, LOG_DEBUG) +</descrip> +</sect2> + +<sect> QUESTIONS / COMMENTS +<p> +All comments / questions / ... are appreciated. +<p> +Just drop me a note to laforge@gnumonks.org +<p> +Please note also that there is now a mailinglist, ulogd@lists.gnumonks.org. +You can subscribe at +<URL URL="http://lists.gnumonks.org/mailman/listinfo/ulogd/">. +<p> +The preferred method for reporting bugs is the netfilter bugzilla system, +available at <URL URL="http://bugzilla.netfilter.org/">. + +</article> |