From 835110044bd970518e10b28348ce6619818ce363 Mon Sep 17 00:00:00 2001
From: Patrick McHardy
Date: Sun, 18 May 2008 18:35:35 +0200
Subject: Remove obsolete patches and files and move ulogd to repository
top-level directory
---
ulogd/doc/Makefile.in | 51 ----
ulogd/doc/mysql.table | 55 ----
ulogd/doc/mysql.table.ipaddr-as-string | 58 -----
ulogd/doc/pgsql.table | 81 ------
ulogd/doc/sqlite3.table | 22 --
ulogd/doc/ulogd.html | 421 -------------------------------
ulogd/doc/ulogd.sgml | 449 ---------------------------------
7 files changed, 1137 deletions(-)
delete mode 100644 ulogd/doc/Makefile.in
delete mode 100644 ulogd/doc/mysql.table
delete mode 100644 ulogd/doc/mysql.table.ipaddr-as-string
delete mode 100644 ulogd/doc/pgsql.table
delete mode 100644 ulogd/doc/sqlite3.table
delete mode 100644 ulogd/doc/ulogd.html
delete mode 100644 ulogd/doc/ulogd.sgml
(limited to 'ulogd/doc')
diff --git a/ulogd/doc/Makefile.in b/ulogd/doc/Makefile.in
deleted file mode 100644
index e6c71a9..0000000
--- a/ulogd/doc/Makefile.in
+++ /dev/null
@@ -1,51 +0,0 @@
-#! /usr/bin/make
-# this file is shamelessly stolen from the iptables CVS tree
-
-LANG_DIRS:=
-
-HOWTOS:=$(wildcard *.sgml)
-HOWTOS+=$(foreach dir, $(LANG_DIRS), $(wildcard $(dir)/*.sgml))
-
-TXT_HOWTOS:=$(HOWTOS:.sgml=.txt)
-HTML_HOWTOS:=$(HOWTOS:.sgml=.html)
-PSA4_HOWTOS:=$(HOWTOS:.sgml=.a4.ps)
-PSUS_HOWTOS:=$(HOWTOS:.sgml=.letter.ps)
-
-HOWTO_FLAGS_it/=-c latin -l it
-HOWTO_FLAGS_fr/=-c latin -l fr
-
-user_calls_make:
-
-distrib: $(TXT_HOWTOS) $(PSA4_HOWTOS) $(HTML_HOWTOS)
-
-HOWTOs: $(TXT_HOWTOS) $(HTML_HOWTOS) $(PSA4_HOWTOS) $(PSUS_HOWTOS)
-
-# Remake all if Makefile changes.
-$(TXT_HOWTOS) $(HTML_HOWTOS) $(PSA4_HOWTOS) $(PSUS_HOWTOS): Makefile
-
-# Stupid sgml2* tools strip dirnames for output files. 8(
-%.txt: %.sgml
- @echo Making $@: && cd `dirname $<` && sgml2txt --filter $(HOWTO_FLAGS_$(dir $<)) `basename $<` 2>&1 | sed "s?^:\([0-9]*\):[^ ]* ?$<:\1:?"
-
-%.a4.dvi: %.sgml
- @echo Making $@: && cd `dirname $<` && sgml2latex --papersize=a4 --output=dvi $(HOWTO_FLAGS_$(dir $<)) `basename $<` 2>&1 | sed "s?^:\([0-9]*\):[^ ]* ?$<:\1:?" && mv `basename $*.dvi` `basename $*.a4.dvi`
-
-%.a4.ps: %.a4.dvi
- @dvips -t a4 -o $@ $<
-
-%.letter.dvi: %.sgml
- @echo Making $@: && cd `dirname $<` && sgml2latex --papersize=letter --output=dvi $(HOWTO_FLAGS_$(dir $<)) `basename $<` 2>&1 | sed "s?^:\([0-9]*\):[^ ]* ?$<:\1:?" && mv `basename $*.dvi` `basename $*.letter.dvi`
-
-%.letter.ps: %.letter.dvi
- @dvips -t letter -o $@ $<
-
-%.html: %.sgml
- @echo Making $@: && cd `dirname $<` && sgml2html -s 0 $(HOWTO_FLAGS_$(dir $<)) `basename $<` 2>&1 | sed "s?^:\([0-9]*\):[^ ]* ?$<:\1:?"
-
-clean:
-# for d in . $(LANG_DIRS); do rm -f $$d/*.html $$d/*.ps $$d/*.aux $$d/*.log $$d/*.txt $$d/*~; done
-
-distclean:
- rm -f Makefile
-
-install:
diff --git a/ulogd/doc/mysql.table b/ulogd/doc/mysql.table
deleted file mode 100644
index bdfee71..0000000
--- a/ulogd/doc/mysql.table
+++ /dev/null
@@ -1,55 +0,0 @@
-CREATE TABLE ulog ( id INT UNSIGNED AUTO_INCREMENT UNIQUE,
-
- raw_mac VARCHAR(80),
-
- oob_time_sec INT UNSIGNED,
- oob_time_usec INT UNSIGNED,
- oob_prefix VARCHAR(32),
- oob_mark INT UNSIGNED,
- oob_in VARCHAR(32),
- oob_out VARCHAR(32),
-
- ip_saddr INT UNSIGNED,
- ip_daddr INT UNSIGNED,
- ip_protocol TINYINT UNSIGNED,
- ip_tos TINYINT UNSIGNED,
- ip_ttl TINYINT UNSIGNED,
- ip_totlen SMALLINT UNSIGNED,
- ip_ihl TINYINT UNSIGNED,
- ip_csum SMALLINT UNSIGNED,
- ip_id SMALLINT UNSIGNED,
- ip_fragoff SMALLINT UNSIGNED,
-
- tcp_sport SMALLINT UNSIGNED,
- tcp_dport SMALLINT UNSIGNED,
- tcp_seq INT UNSIGNED,
- tcp_ackseq INT UNSIGNED,
- tcp_window SMALLINT UNSIGNED,
- tcp_urg TINYINT,
- tcp_urgp SMALLINT UNSIGNED,
- tcp_ack TINYINT,
- tcp_psh TINYINT,
- tcp_rst TINYINT,
- tcp_syn TINYINT,
- tcp_fin TINYINT,
-
- udp_sport SMALLINT UNSIGNED,
- udp_dport SMALLINT UNSIGNED,
- udp_len SMALLINT UNSIGNED,
-
- icmp_type TINYINT UNSIGNED,
- icmp_code TINYINT UNSIGNED,
- icmp_echoid SMALLINT UNSIGNED,
- icmp_echoseq SMALLINT UNSIGNED,
- icmp_gateway INT UNSIGNED,
- icmp_fragmtu SMALLINT UNSIGNED,
-
- pwsniff_user VARCHAR(30),
- pwsniff_pass VARCHAR(30),
-
- ahesp_spi INT UNSIGNED,
-
- KEY index_id (id)
- );
-
-
diff --git a/ulogd/doc/mysql.table.ipaddr-as-string b/ulogd/doc/mysql.table.ipaddr-as-string
deleted file mode 100644
index 4a9cecc..0000000
--- a/ulogd/doc/mysql.table.ipaddr-as-string
+++ /dev/null
@@ -1,58 +0,0 @@
-# MySQL dump 7.1
-#
-# Host: localhost Database: ulogd
-#--------------------------------------------------------
-# Server version 3.22.32
-
-# This table is intended for use with older MySQL-Servers and
-# the --with-mysql-log-ip-as-string feature. It will not work
-# without that feature.
-#
-# Table structure for table 'ulog'
-#
-CREATE TABLE ulog (
- id int(10) unsigned NOT NULL auto_increment,
- raw_mac varchar(80),
- oob_time_sec int(10) unsigned,
- oob_time_usec int(10) unsigned,
- oob_prefix varchar(32),
- oob_mark int(10) unsigned,
- oob_in varchar(32),
- oob_out varchar(32),
- ip_saddr varchar(16),
- ip_daddr varchar(16),
- ip_protocol tinyint(3) unsigned,
- ip_tos tinyint(3) unsigned,
- ip_ttl tinyint(3) unsigned,
- ip_totlen smallint(5) unsigned,
- ip_ihl tinyint(3) unsigned,
- ip_csum smallint(5) unsigned,
- ip_id smallint(5) unsigned,
- ip_fragoff smallint(5) unsigned,
- tcp_sport smallint(5) unsigned,
- tcp_dport smallint(5) unsigned,
- tcp_seq int(10) unsigned,
- tcp_ackseq int(10) unsigned,
- tcp_window smallint(5) unsigned,
- tcp_urg tinyint(4),
- tcp_urgp smallint(5) unsigned,
- tcp_ack tinyint(4),
- tcp_psh tinyint(4),
- tcp_rst tinyint(4),
- tcp_syn tinyint(4),
- tcp_fin tinyint(4),
- udp_sport smallint(5) unsigned,
- udp_dport smallint(5) unsigned,
- udp_len smallint(5) unsigned,
- icmp_type tinyint(3) unsigned,
- icmp_code tinyint(3) unsigned,
- icmp_echoid smallint(5) unsigned,
- icmp_echoseq smallint(5) unsigned,
- icmp_gateway int(10) unsigned,
- icmp_fragmtu smallint(5) unsigned,
- pwsniff_user varchar(30),
- pwsniff_pass varchar(30),
- ahesp_spi int(10) unsigned,
- PRIMARY KEY (id)
-);
-
diff --git a/ulogd/doc/pgsql.table b/ulogd/doc/pgsql.table
deleted file mode 100644
index 193f747..0000000
--- a/ulogd/doc/pgsql.table
+++ /dev/null
@@ -1,81 +0,0 @@
-/* ulogd.pgsql.table, Version 0.1
- *
- * sample of a postgres table for ulogd
- *
- * All columns except "id" are optional! Comment all unwanted
- * columns out, e.g. by prefixing them with '--'
- *
- * "raw_pkt" is not supported by ulogd_PGSQL
- */
-
-CREATE SEQUENCE "seq_ulog";
-
-CREATE TABLE "ulog" (
- "id" integer DEFAULT nextval('seq_ulog') NOT NULL,
-
- "oob_prefix" character varying(32),
- "oob_time_sec" integer,
- "oob_time_usec" integer,
- "oob_mark" bigint,
- "oob_in" character varying(32),
- "oob_out" character varying(32),
-
- "raw_mac" character varying(80),
- "raw_pktlen" bigint,
-
- "ip_ihl" smallint,
- "ip_tos" smallint,
- "ip_totlen" integer,
- "ip_id" integer,
- "ip_fragoff" integer,
- "ip_ttl" smallint,
- "ip_protocol" smallint,
- "ip_csum" integer,
-
-/* log IPs as unsigned int32 (default) */
- "ip_saddr" bigint,
- "ip_daddr" bigint,
-
-/* log IPs as string (--with-pgsql-log-ip-as-string) */
--- "ip_saddr" character varying(40),
--- "ip_daddr" character varying(40),
-
-/* log IPs as inet (--with-pgsql-log-ip-as-string) */
--- "ip_saddr" inet,
--- "ip_daddr" inet,
-
-
- "tcp_sport" integer,
- "tcp_dport" integer,
- "tcp_seq" bigint,
- "tcp_ackseq" bigint,
- "tcp_urg" boolean,
- "tcp_ack" boolean,
- "tcp_psh" boolean,
- "tcp_rst" boolean,
- "tcp_syn" boolean,
- "tcp_fin" boolean,
- "tcp_window" integer,
- "tcp_urgp" integer,
-
- "udp_sport" integer,
- "udp_dport" integer,
- "udp_len" integer,
-
- "icmp_type" smallint,
- "icmp_code" smallint,
- "icmp_echoid" integer,
- "icmp_echoseq" integer,
- "icmp_gateway" bigint,
- "icmp_fragmtu" integer,
-
- "pwsniff_user" character varying(30),
- "pwsniff_pass" character varying(30),
-
- "ahesp_spi" smallint,
-
- "local_time" bigint,
- "local_hostname" character varying(40)
-);
-
-
diff --git a/ulogd/doc/sqlite3.table b/ulogd/doc/sqlite3.table
deleted file mode 100644
index 7b5e99a..0000000
--- a/ulogd/doc/sqlite3.table
+++ /dev/null
@@ -1,22 +0,0 @@
-CREATE TABLE ulog (
- raw_mac VARCHAR(80),
- oob_time_sec INT UNSIGNED,
- oob_time_usec INT UNSIGNED,
- ip_saddr INT UNSIGNED,
- ip_daddr INT UNSIGNED,
- ip_protocol TINYINT UNSIGNED,
- ip_totlen SMALLINT UNSIGNED,
- tcp_sport SMALLINT UNSIGNED,
- tcp_dport SMALLINT UNSIGNED,
- udp_sport SMALLINT UNSIGNED,
- udp_dport SMALLINT UNSIGNED,
- udp_len SMALLINT UNSIGNED,
- icmp_type TINYINT UNSIGNED,
- icmp_code TINYINT UNSIGNED,
- icmp_echoid SMALLINT UNSIGNED,
- icmp_echoseq SMALLINT UNSIGNED,
- icmp_gateway INT UNSIGNED,
- icmp_fragmtu SMALLINT UNSIGNED
- );
-
-
diff --git a/ulogd/doc/ulogd.html b/ulogd/doc/ulogd.html
deleted file mode 100644
index 8bf7fed..0000000
--- a/ulogd/doc/ulogd.html
+++ /dev/null
@@ -1,421 +0,0 @@
-
-
-
-
- ULOGD - the Userspace Logging Daemon
-
-
-ULOGD - the Userspace Logging Daemon
-
-Harald Welte <laforge@gnumonks.org>
Revision $Revision: 803 $, $Date: 2005-04-18 16:21:17 +0200 (Mon, 18 Apr 2005) $
-
-This is the documentation for ulogd
, the Userspace logging daemon.
-ulogd makes use of the Linux >= 2.4.x packet filter subsystem (iptables) and
-the ULOG target for iptables.
-
-
-
-
-
-I want to provide a flexible, almost universal logging daemon for my netfilter
-ULOG target. It is not optimized in any way, the goal is to keep as simple as
-possible. These are my thoughts about how the architecture which is most
-capable of doing that:
-
-
-- Interpreter lugins
It should be possible to add plugins / runtime modules for new protocols, etc.
-For example the standard logging daemon provides source-ip, dest-ip,
-source-port, dest-port, etc. Logging for variuos other protocols (GRE,
-IPsec, ...) may be implemented as modules.
-
-- Output plugins
... describe how and where to put the information gained by logging plugins.
-The easiest way is to build a line per packet and fprint it to a file.
-Some people might want to log into a SQL database or want an output
-conforming to the intrusion detection systems communication draft from the
-IETF.
-
-
-
-
-
-
-The major clue is providing a framework which is as flexible as possible.
-Nobody knows what strange network protocols are out there :) Flexibility
-depends on the communication between the output of the logging plugins
-and input of the output plugins.
-Rusty advised me to use some kind of type-key-value triples, which is in fact
-what I implemented.
-One issue is, of course, performance. Up to ulogd 0.3, ulogd did several
-linked list iterations and about 30 malloc() calls _per packet_. This
-changed with the new >= 0.9 revisions:
-
-- Not a single dynamic allocation in the core during runtime.
-Everything is pre-allocated at start of ulogd to provide the highest
-possible throughput.
-- Hash tables in addition to the linked lists. Linked lists are only
-traversed if we really want to access each element of the list.
-
-
-
-
-
-
-
-
-First you will need a recent 2.4.x kernel. If you have a kernel >=
-2.4.18-pre8, it already has the kernel suport for ULOG (ipt_ULOG.o).
-If you have an older kernel version (between 2.4.0 and 2.4.18-pre6), you
-can use the patch-o-matic system of netfilter/iptables, as described in
-the following section.
-
-
-
-You only need to read this chapter if you have a 2.4.x kernel <=
-2.4.18-pre6.
-In order to put the ipt_ULOG module into your kernel source,you need the latest
-iptables package, or even better: the latest CVS snapshot. A description how to
-obtain this is provided on the netfilter
-homepage
-http://www.netfilter.org/.
-To run patch-o-matic, just type
-
-
-make patch-o-matic
-
-
-
-in the userspace directory of netfilter CVS.
-
-
-
-Recompiling the source
-
-Download the ulogd package from
-http://ftp.netfilter.org/pub/ulogd/ and
-untar it.
-If you want to build ulogd with MySQL support, type './configure --with-mysql'. You may also have to specify the path of the mysql libraries using '--with-mysql=path'. To build ulogd without MySQL support, just use './configure'.
-To compile and install the program, call 'make install'.
-
-Using a precompiled package
-
-I also provide a SRPM, which should compile on almost any rpm-based distribution. It is available at
-http://ftp.netfilter.org/pub/ulogd/
-Just download the package and do the usual 'rpm --rebuild <file>'.
-
-
-
-
-
-Quick Setup
-
-Just add rules using the ULOG target to your firewalling chain. A very basic
-example:
-
-
-iptables -A FORWARD -j ULOG --ulog-nlgroup 32 --ulog-prefix foo
-
-
-
-To increase logging performance, try to use the
-
-
---ulog-qthreshold N
-
-
-
-option (where 1 < N <= 50). The number you specify is the amout of packets
-batched together in one multipart netlink message. If you set this to 20, the
-kernel schedules ulogd only once every 20 packets. All 20 packets are then
-processed by ulogd. This reduces the number of context switches between kernel
-and userspace.
-Of course you can combine the ULOG target with the different netfilter match
-modules. For a more detailed description, have a look at the netfilter
-HOWTO's, available on the netfilter homepage.
-ULOG target reference
-
-
-
-- --ulog-nlgroup N
The number of the netlink multicast group to which ULOG'ed packets are sent.
-You will have to use the same group number in the ULOG target and ulogd in
-order to make logging work.
-- --ulog-cprange N
Copyrange. This works like the 'snaplen' paramter of tcpdump. You can specify
-a number of bytes up to which the packet is copied. If you say '40', you will
-receive the first fourty bytes of every packet. Leave it to '0'
-- --ulog-qthreshold N
Queue threshold. If a packet is matched by the iptables rule, and already N
-packets are in the queue, the queue is flushed to userspace. You can use this
-to implement a policy like: Use a big queue in order to gain high performance,
-but still have certain packets logged immediately to userspace.
-- --ulog-prefix STRING
A string that is associated with every packet logged by this rule. You can use
-this option to later tell from which rule the packet was logged.
-
-
-
-ipt_ULOG module parameters
-
-The ipt_ULOG kernel module has a couple of module loadtime parameters which can
-(and should) be tuned to accomodate the needs of the application:
-
-- nlbufsiz N
Netlink buffer size. A buffer of the specified size N is allocated for every
-netlink group that is used. Please note that due to restrictions of the kernel
-memory allocator, we cannot have a buffer size > 128kBytes. Larger buffer
-sizes increase the performance, since less kernel/userspace context switches
-are needed for the same amount of packets. The backside of this performance
-gain is a potentially larger delay. The default value is 4096 bytes, which is
-quite small.
-- flushtimeout N
The flushtimeout determines, after how many clock ticks (on alpha: 1ms, on
-x86 and most other platforms: 10ms time units) the buffer/queue is to be
-flushed, even if it is not full. This can be used to have the advantage of a
-large buffer, but still a finite maximum delay introduced. The default value
-is set to 10 seconds.
-
-
-Example:
-
-
-modprobe ipt_ULOG nlbufsiz=65535 flushtimeout=100
-
-
-
-This would use a buffer size of 64k and a flushtimeout of 100 clockticks (1 second on x86).
-
-
-
-ulogd is what this is all about, so let's describe it's configuration...
-ulogd configfile syntax reference
-
-All configurable parameters of ulogd are in the configfile, typically located
-at '/etc/ulogd.conf'.
-The following configuration parameters are available:
-
-- nlgroup
The netlink multicast group, which ulgogd should bind to. This is the same as
-given with the '--ulog-nlgroup' option to iptables.
-- logfile
The main logfile, where ulogd reports any errors, warnings and other unexpected conditions. Apart from a regular filename, the following special values can be used; ``syslog'' to log via the unix syslog(3) mechanism. ``stdout'' to log to stdout.
-- loglevel
This specifies, how verbose the logging to logfile is. Currently defined
-loglevels are: 1=debug information, 3=informational messages, 5=noticable
-exceptional conditions, 7=error conditions, 8=fatal errors, program abort.
-- plugin
This option is followed by a filename of a ulogd plugin, which ulogd shold load
-upon initialization. This option may appear more than once.
-- rmem
Size of the netlink socket receive memory. You should set this to at least the
-size of the kernel buffer (nlbufsiz parameter of the ipt_ULOG module). Please
-note that there is a maximum limit in /proc/sys/net/core/rmem_max which you
-cannot exceed by increasing the ``rmem'' parameter. You may need to raise the
-system-wide maximum limit before.
-- bufsize
Size of the receive buffer. You should set this to at least the socket receive buffer (rmem).
-
-
-ulogd commandline option reference
-
-Apart from the configfile, there are a couple of commandline options to ulogd:
-
-- -h --help
Print a help message about the commandline options.
-- -V --version
Print version information about ulogd.
-- -d --daemon
For off into daemon mode. Unless you are debugging, you will want to use this
-most of the time.
-- -c --configfile
Using this commandline option, an alternate config file can be used. This is
-important if multiple instances of ulogd are to be run on a single machine.
-
-
-
-
-
-It is important to understand that ulogd without plugins does nothing. It will receive packets, and do nothing with them.
-There are two kinds of plugins, interpreter and output plugins. Interpreter
-plugins parse the packet, output plugin write the interpreted information to
-some logfile/database/...
-
-
-
-ulogd comes with the following interpreter plugins:
-ulogd_BASE.so
-
-Basic interpreter plugin for nfmark, timestamp, mac address, ip header, tcp
-header, udp header, icmp header, ah/esp header... Most people will want to load
-this very important plugin.
-ulogd_PWSNIFF.so
-
-Example interpreter plugin to log plaintext passwords as used with FTP and
-POP3. Don't blame me for writing this plugin! The protocols are inherently
-insecure, and there are a lot of other tools for sniffing passwords... it's
-just an example.
-ulogd_LOCAL.so
-
-This is a 'virtual interpreter'. It doesn't really return any information on
-the packet itself, rather the local system time and hostname. Please note that
-the time is the time at the time of logging, not the packets receive time.
-
-
-
-ulogd comes with the following output plugins:
-
-ulogd_OPRINT.so
-
-A very simple output module, dumping all packets in the format
-
-
-===>PACKET BOUNDARY
-key=value
-key=value
-...
-===>PACKET BOUNDARY
-...
-
-
-
-to a file. The only useful application is debugging.
-The module defines the following configuration directives:
-
-- dumpfile
The filename where it should log to. The default is
-/var/log/ulogd.pktlog
-
-
-
-ulogd_LOGEMU.so
-
-An output module which tries to emulate the old syslog-based LOG targed as far
-as possible. Logging is done to a seperate textfile instead of syslog, though.
-The module defines the following configuration directives:
-
-- file
The filename where it should log to. The default is
-/var/log/ulogd.syslogemu
-- sync
Set this to 1 if you want to have your logfile written
-synchronously. This may reduce performance, but makes your log-lines appear
-immediately. The default is 0
-
-
-
-ulogd_MYSQL.so
-
-An output plugin for logging into a mysql database. This is only compiled if
-you have the mysql libraries installed, and the configure script was able to
-detect them. (that is: --with-mysql was specified for ./configure)
-
-The plugin automagically inserts the data into the configured table; It
-connects to mysql during the startup phase of ulogd and obtains a list of the
-columns in the table. Then it tries to resolve the column names against keys of
-interpreter plugins. This way you can easly select which information you want
-to log - just by the layout of the table.
-
-If, for example, your table contains a field called 'ip_saddr', ulogd will
-resolve this against the key 'ip.saddr' and put the ip address as 32bit
-unsigned integer into the table.
-
-You may want to have a look at the file 'doc/mysql.table
' as an
-example table including fields to log all keys from ulogd_BASE.so. Just delete
-the fields you are not interested in, and create the table.
-
-The module defines the following configuration directives:
-
-- table
Name of the table to which ulogd should log
-- ldb
Name of the mysql database
-- host
Name of the mysql database host
-- port
TCP port number of mysql database server
-- user
Name of the mysql user
-- pass
Password for mysql
-
-
-
-ulogd_PGSQL.so
-
-An output plugin for logging into a postgresql database. This is only compiled
-if you have the mysql libraries installed, and the configure script was able to
-detect them. (that is: --with-pgsql was specified for ./configure)
-
-The plugin automagically inserts the data into the configured table; It
-connects to pgsql during the startup phase of ulogd and obtains a list of the
-columns in the table. Then it tries to resolve the column names against keys of
-interpreter plugins. This way you can easly select which information you want
-to log - just by the layout of the table.
-
-If, for example, your table contains a field called 'ip_saddr', ulogd will
-resolve this against the key 'ip.saddr' and put the ip address as 32bit
-unsigned integer into the table.
-
-You may want to have a look at the file 'doc/mysql.table
' as an
-example table including fields to log all keys from ulogd_BASE.so. Just delete
-the fields you are not interested in, and create the table.
-
-The module defines the following configuration directives:
-
-- table
Name of the table to which ulogd should log
-- db
Name of the database
-- host
Name of the mysql database host
-- port
TCP port number of database server
-- user
Name of the sql user
-- pass
Password for sql user
-
-
-
-ulogd_PCAP.so
-
-An output plugin that can be used to generate libpcap-style packet logfiles.
-This can be useful for later analysing the packet log with tools like tcpdump
-or ethereal.
-The module defines the following configuration directives:
-
-- file
The filename where it should log to. The default is:
-/var/log/ulogd.pcap
-- sync
Set this to 1
if you want to have your pcap logfile written
-synchronously. This may reduce performance, but makes your packets appear
-immediately in the file on disk. The default is 0
-
-
-
-ulogd_SQLITE3.so
-
-An output plugin for logging into a SQLITE v3 database. This is only compiled
-if you have the sqlite libraries installed, and the configure script was able to
-detect them. (that is: --with-sqlite3 was specified for ./configure)
-
-The plugin automagically inserts the data into the configured table; It
-opens the sqlite db during the startup phase of ulogd and obtains a list of the
-columns in the table. Then it tries to resolve the column names against keys of
-interpreter plugins. This way you can easly select which information you want
-to log - just by the layout of the table.
-
-If, for example, your table contains a field called 'ip_saddr', ulogd will
-resolve this against the key 'ip.saddr' and put the ip address as 32bit
-unsigned integer into the table.
-
-You may want to have a look at the file 'doc/sqlite3.table
' as an
-example table including fields to log all keys from ulogd_BASE.so. Just delete
-the fields you are not interested in, and create the table.
-
-The module defines the following configuration directives:
-
-- table
Name of the table to which ulogd should log
-- db
Name of the database
-- buffer
Size of the sqlite buffer
-
-
-ulogd_SYSLOG.so
-
-An output plugin that really logs via syslogd. Lines will look exactly like printed with traditional LOG target.
-The module defines the following configuration directives:
-
-- facility
The syslog facility (LOG_DAEMON, LOG_KERN, LOG_LOCAL0 .. LOG_LOCAL7, LOG_USER)
-- level
The syslog level (LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO, LOG_DEBUG)
-
-
-
-
-All comments / questions / ... are appreciated.
-Just drop me a note to laforge@gnumonks.org
-Please note also that there is now a mailinglist, ulogd@lists.gnumonks.org.
-You can subscribe at
-http://lists.gnumonks.org/mailman/listinfo/ulogd/
-
-The preferred method for reporting bugs is the netfilter bugzilla system,
-available at
-http://bugzilla.netfilter.org/.
-
-
-
diff --git a/ulogd/doc/ulogd.sgml b/ulogd/doc/ulogd.sgml
deleted file mode 100644
index c019c63..0000000
--- a/ulogd/doc/ulogd.sgml
+++ /dev/null
@@ -1,449 +0,0 @@
-
-
-
-
-
-
-ULOGD - the Userspace Logging Daemon
-Harald Welte <laforge@gnumonks.org>
-Revision $Revision$, $Date$
-
-
-This is the documentation for ulogd, the Userspace logging daemon.
-ulogd makes use of the Linux >= 2.4.x packet filter subsystem (iptables) and
-the ULOG target for iptables.
-
-
-
-
-DESIGN
-
-CONCEPT
-
-I want to provide a flexible, almost universal logging daemon for my netfilter
-ULOG target. It is not optimized in any way, the goal is to keep as simple as
-possible. These are my thoughts about how the architecture which is most
-capable of doing that:
-
-
-Interpreter plugins
-It should be possible to add plugins / runtime modules for new protocols, etc.
-For example the standard logging daemon provides source-ip, dest-ip,
-source-port, dest-port, etc. Logging for various other protocols (GRE,
-IPsec, ...) may be implemented as modules.
-
-Output plugins
-... describe how and where to put the information gained by logging plugins.
-The easiest way is to build a line per packet and fprint it to a file.
-Some people might want to log into a SQL database or want an output
-conforming to the intrusion detection systems communication draft from the
-IETF.
-
-
-
-DETAILS
-
-The major clue is providing a framework which is as flexible as possible.
-Nobody knows what strange network protocols are out there :) Flexibility
-depends on the communication between the output of the logging plugins
-and input of the output plugins.
-
-Rusty advised me to use some kind of type-key-value triples, which is in fact
-what I implemented.
-
-One issue is, of course, performance. Up to ulogd 0.3, ulogd did several
-linked list iterations and about 30 malloc() calls _per packet_. This
-changed with the new >= 0.9 revisions:
-
-- Not a single dynamic allocation in the core during runtime.
-Everything is pre-allocated at start of ulogd to provide the highest
-possible throughput.
-
- Hash tables in addition to the linked lists. Linked lists are only
-traversed if we really want to access each element of the list.
-
-
-INSTALLATION
-
-Linux kernel
-
-First you will need a recent 2.4.x kernel. If you have a kernel >=
-2.4.18-pre8, it already has the kernel support for ULOG (ipt_ULOG.o).
-
-If you have an older kernel version (between 2.4.0 and 2.4.18-pre6), you
-can use the patch-o-matic system of netfilter/iptables, as described in
-the following section.
-
-ipt_ULOG from netfilter/iptables patch-o-matic
-
-You only need to read this chapter if you have a 2.4.x kernel <=
-2.4.18-pre6.
-
-In order to put the ipt_ULOG module into your kernel source,you need the latest
-iptables package, or even better: the latest CVS snapshot. A description how to
-obtain this is provided on the netfilter
-homepage .
-
-To run patch-o-matic, just type
-
-make patch-o-matic
-
-in the userspace directory of netfilter CVS.
-
-ulogd
-Recompiling the source
-
-Download the ulogd package from and
-untar it.
-
-If you want to build ulogd with MySQL support, type './configure --with-mysql'. You may also have to specify the path of the mysql libraries using '--with-mysql=path'. To build ulogd without MySQL support, just use './configure'.
-
-To compile and install the program, call 'make install'.
-
-Using a precompiled package
-
-I also provide a SRPM, which should compile on almost any rpm-based distribution. It is available at
-
-Just download the package and do the usual 'rpm --rebuild <file>'.
-
-Configuration
-iptables ULOG target
-Quick Setup
-
-Just add rules using the ULOG target to your firewalling chain. A very basic
-example:
-
-iptables -A FORWARD -j ULOG --ulog-nlgroup 32 --ulog-prefix foo
-
-
-To increase logging performance, try to use the
-
---ulog-qthreshold N
-
-option (where 1 < N <= 50). The number you specify is the amount of packets
-batched together in one multipart netlink message. If you set this to 20, the
-kernel schedules ulogd only once every 20 packets. All 20 packets are then
-processed by ulogd. This reduces the number of context switches between kernel
-and userspace.
-
-Of course you can combine the ULOG target with the different netfilter match
-modules. For a more detailed description, have a look at the netfilter
-HOWTO's, available on the netfilter homepage.
-ULOG target reference
-
-
---ulog-nlgroup N
-The number of the netlink multicast group to which ULOG'ed packets are sent.
-You will have to use the same group number in the ULOG target and ulogd in
-order to make logging work.
---ulog-cprange N
-Copyrange. This works like the 'snaplen' parameter of tcpdump. You can specify
-a number of bytes up to which the packet is copied. If you say '40', you will
-receive the first fourty bytes of every packet. Leave it to 0
---ulog-qthreshold N
-Queue threshold. If a packet is matched by the iptables rule, and already N
-packets are in the queue, the queue is flushed to userspace. You can use this
-to implement a policy like: Use a big queue in order to gain high performance,
-but still have certain packets logged immediately to userspace.
---ulog-prefix STRING
-A string that is associated with every packet logged by this rule. You can use
-this option to later tell from which rule the packet was logged.
-
-
-ipt_ULOG module parameters
-
-The ipt_ULOG kernel module has a couple of module loadtime parameters which can
-(and should) be tuned to accomodate the needs of the application:
-
-nlbufsiz N
-Netlink buffer size. A buffer of the specified size N is allocated for every
-netlink group that is used. Please note that due to restrictions of the kernel
-memory allocator, we cannot have a buffer size > 128kBytes. Larger buffer
-sizes increase the performance, since less kernel/userspace context switches
-are needed for the same amount of packets. The backside of this performance
-gain is a potentially larger delay. The default value is 4096 bytes, which is
-quite small.
-flushtimeout N
-The flushtimeout determines, after how many clock ticks (on alpha: 1ms, on
-x86 and most other platforms: 10ms time units) the buffer/queue is to be
-flushed, even if it is not full. This can be used to have the advantage of a
-large buffer, but still a finite maximum delay introduced. The default value
-is set to 10 seconds.
-
-Example:
-
-modprobe ipt_ULOG nlbufsiz=65535 flushtimeout=100
-
-This would use a buffer size of 64k and a flushtimeout of 100 clockticks (1 second on x86).
-
-ulogd
-
-ulogd is what this is all about, so let's describe it's configuration...
-ulogd configfile syntax reference
-
-All configurable parameters of ulogd are in the configfile, typically located
-at '/etc/ulogd.conf'.
-
-The following configuration parameters are available:
-
-nlgroup
-The netlink multicast group, which ulgogd should bind to. This is the same as
-given with the '--ulog-nlgroup' option to iptables.
-logfile
-The main logfile, where ulogd reports any errors, warnings and other unexpected conditions. Apart from a regular filename, the following special values can be used; ``syslog'' to log via the unix syslog(3) mechanism. ``stdout'' to log to stdout.
-loglevel
-This specifies, how verbose the logging to logfile is. Currently defined
-loglevels are: 1=debug information, 3=informational messages, 5=noticable
-exceptional conditions, 7=error conditions, 8=fatal errors, program abort.
-plugin
-This option is followed by a filename of a ulogd plugin, which ulogd shold load
-upon initialization. This option may appear more than once.
-rmem
-Size of the netlink socket receive memory. You should set this to at least the
-size of the kernel buffer (nlbufsiz parameter of the ipt_ULOG module). Please
-note that there is a maximum limit in /proc/sys/net/core/rmem_max which you
-cannot exceed by increasing the ``rmem'' parameter. You may need to raise the
-system-wide maximum limit before.
-bufsize
-Size of the receive buffer. You should set this to at least the socket receive buffer (rmem).
-
-ulogd commandline option reference
-
-Apart from the configfile, there are a couple of commandline options to ulogd:
-
--h --help
-Print a help message about the commandline options.
--V --version
-Print version information about ulogd.
--d --daemon
-For off into daemon mode. Unless you are debugging, you will want to use this
-most of the time.
--c --configfile
-Using this commandline option, an alternate config file can be used. This is
-important if multiple instances of ulogd are to be run on a single machine.
-
-
-Available plugins
-
-It is important to understand that ulogd without plugins does nothing. It will receive packets, and do nothing with them.
-
-There are two kinds of plugins, interpreter and output plugins. Interpreter
-plugins parse the packet, output plugins write the interpreted information to
-some logfile/database/...
-
-Interpreter plugins
-
-ulogd comes with the following interpreter plugins:
-ulogd_BASE.so
-
-Basic interpreter plugin for nfmark, timestamp, mac address, ip header, tcp
-header, udp header, icmp header, ah/esp header... Most people will want to load
-this very important plugin.
-ulogd_PWSNIFF.so
-
-Example interpreter plugin to log plaintext passwords as used with FTP and
-POP3. Don't blame me for writing this plugin! The protocols are inherently
-insecure, and there are a lot of other tools for sniffing passwords... it's
-just an example.
-ulogd_LOCAL.so
-
-This is a 'virtual interpreter'. It doesn't really return any information on
-the packet itself, rather the local system time and hostname. Please note that
-the time is the time at the time of logging, not the packets receive time.
-
-Output plugins
-
-ulogd comes with the following output plugins:
-
-ulogd_OPRINT.so
-
-A very simple output module, dumping all packets in the format
-
-===>PACKET BOUNDARY
-key=value
-key=value
-...
-===>PACKET BOUNDARY
-...
-
-to a file. The only useful application is debugging.
-
The module defines the following configuration directives:
-
-dumpfile
-The filename where it should log to. The default is
-/var/log/ulogd.pktlog
-
-
-ulogd_LOGEMU.so
-
-An output module which tries to emulate the old syslog-based LOG targed as far
-as possible. Logging is done to a seperate textfile instead of syslog, though.
-
-The module defines the following configuration directives:
-
-fileThe filename where it should log to. The default is
-/var/log/ulogd.syslogemu
-syncSet this to 1 if you want to have your logfile written
-synchronously. This may reduce performance, but makes your log-lines appear
-immediately. The default is 0
-
-
-ulogd_MYSQL.so
-
-An output plugin for logging into a mysql database. This is only compiled if
-you have the mysql libraries installed, and the configure script was able to
-detect them. (that is: --with-mysql was specified for ./configure)
-
-
-The plugin automagically inserts the data into the configured table; It
-connects to mysql during the startup phase of ulogd and obtains a list of the
-columns in the table. Then it tries to resolve the column names against keys of
-interpreter plugins. This way you can easily select which information you want
-to log - just by the layout of the table.
-
-
-If, for example, your table contains a field called 'ip_saddr', ulogd will
-resolve this against the key 'ip.saddr' and put the ip address as 32bit
-unsigned integer into the table.
-
-
-You may want to have a look at the file 'doc/mysql.table' as an
-example table including fields to log all keys from ulogd_BASE.so. Just delete
-the fields you are not interested in, and create the table.
-
-
-The module defines the following configuration directives:
-
-table
-Name of the table to which ulogd should log.
-ldb
-Name of the mysql database.
-host
-Name of the mysql database host.
-port
-TCP port number of mysql database server.
-user
-Name of the mysql user.
-pass
-Password for mysql.
-
-
-ulogd_PGSQL.so
-
-An output plugin for logging into a postgresql database. This is only compiled
-if you have the mysql libraries installed, and the configure script was able to
-detect them. (that is: --with-pgsql was specified for ./configure)
-
-
-The plugin automagically inserts the data into the configured table; It
-connects to pgsql during the startup phase of ulogd and obtains a list of the
-columns in the table. Then it tries to resolve the column names against keys of
-interpreter plugins. This way you can easily select which information you want
-to log - just by the layout of the table.
-
-
-If, for example, your table contains a field called 'ip_saddr', ulogd will
-resolve this against the key 'ip.saddr' and put the ip address as 32bit
-unsigned integer into the table.
-
-
-You may want to have a look at the file 'doc/mysql.table' as an
-example table including fields to log all keys from ulogd_BASE.so. Just delete
-the fields you are not interested in, and create the table.
-
-
-The module defines the following configuration directives:
-
-table
-Name of the table to which ulogd should log.
-db
-Name of the database.
-host
-Name of the mysql database host.
-port
-TCP port number of database server.
-user
-Name of the sql user.
-pass
-Password for sql user.
-
-
-ulogd_PCAP.so
-
-An output plugin that can be used to generate libpcap-style packet logfiles.
-This can be useful for later analysing the packet log with tools like tcpdump
-or ethereal.
-
-The module defines the following configuration directives:
-
-file
-The filename where it should log to. The default is:
-/var/log/ulogd.pcap
-sync
-Set this to 1 if you want to have your pcap logfile written
-synchronously. This may reduce performance, but makes your packets appear
-immediately in the file on disk. The default is 0
-
-
-ulogd_SQLITE3.so
-
-An output plugin for logging into a SQLITE v3 database. This is only compiled
-if you have the sqlite libraries installed, and the configure script was able to
-detect them. (that is: --with-sqlite3 was specified for ./configure)
-
-
-The plugin automagically inserts the data into the configured table; It
-opens the sqlite db during the startup phase of ulogd and obtains a list of the
-columns in the table. Then it tries to resolve the column names against keys of
-interpreter plugins. This way you can easily select which information you want
-to log - just by the layout of the table.
-
-
-If, for example, your table contains a field called 'ip_saddr', ulogd will
-resolve this against the key 'ip.saddr' and put the ip address as 32bit
-unsigned integer into the table.
-
-
-You may want to have a look at the file 'doc/sqlite3.table' as an
-example table including fields to log all keys from ulogd_BASE.so. Just delete
-the fields you are not interested in, and create the table.
-
-
-The module defines the following configuration directives:
-
-table
-Name of the table to which ulogd should log.
-db
-Name of the database.
-buffer
-Size of the sqlite buffer.
-
-
-
-ulogd_SYSLOG.so
-
-An output plugin that really logs via syslogd. Lines will look exactly like printed with traditional LOG target.
-
-
-The module defines the following configuration directives:
-
-facility
-The syslog facility (LOG_DAEMON, LOG_KERN, LOG_LOCAL0 .. LOG_LOCAL7, LOG_USER)
-level
-The syslog level (LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO, LOG_DEBUG)
-
-
-
- QUESTIONS / COMMENTS
-
-All comments / questions / ... are appreciated.
-
-Just drop me a note to laforge@gnumonks.org
-
-Please note also that there is now a mailinglist, ulogd@lists.gnumonks.org.
-You can subscribe at
-.
-
-The preferred method for reporting bugs is the netfilter bugzilla system,
-available at .
-
-
--
cgit v1.2.3