summaryrefslogtreecommitdiffstats
path: root/README
blob: 9c0f251fb8c06751ff89924c1b89a6785875fbc0 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
===> CONECEPT

I want to write a flexible, almost universal logging daemon for my netfilter 
ULOG target. It is not optimized in any way, the goal is to keep as simple as possible. These are my thoughts about how the architecture which is most capable of doing that:

1. Interpreter lugins

It should be possible to add plugins / runtime modules for new protocols, etc.
For example the standard logging daemon provides source-ip, dest-ip, 
source-port, dest-port, etc. Logging for variuos other protocols (GRE, 
IPsec, ...) may be implemented as modules.

2. Output plugins
... describe how and where to put the information gained by logging plugins. 
The easiest way is to build a line per packet and fprint it to a file. 
Some people might want to log into a SQL database or want an output 
conforming to the intrusion detection systems communication draft from the
ietf.


===> DETAILS

The major clue is providing a framework which is as flexible as possible. 
Nobody knows what strange network protocols are out there :) Flexibility
depends on the communication between the output of the logging plugins 
and input of the output plugins.

Rusty advised me to use some kind of type-key-value triples, but I think
this is the total overkill and is too complicated for me to implement it 
in a reasonable short period of time. (3 hours later) Hmm... Rusty finally 
convinced me to use linked lists of type-key-value triples - and it wasn't 
that difficult.

===> INSTALLATION

Just copy the plugins into /usr/local/lib/ulogd and the ulogd to wherever 
You want it to be.

===> QUESTIONS / COMMENTS

Just drop me a note to laforge@gnumonks.org