rigacci.org

User Tools

Site Tools

Trace:
doc:appunti:linux:sa:ulogd2

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
doc:appunti:linux:sa:ulogd2 [2025/02/17 17:21] niccolodoc:appunti:linux:sa:ulogd2 [2025/04/03 12:43] (current) – [/etc/logrotate.d/ulogd2] niccolo
Line 5: Line 5:
 </code> </code>
  
 +==== /etc/ulogd.conf ====
  
-=== /etc/ulogd.conf ===+In the configuration file **/etc/ulogd.conf** we configure one **plugin stack** adding this line:
  
 <file> <file>
-Local configured stack for logging connections metadata.+Custom stack for logging connections metadata.
 stack=ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,emu1:LOGEMU stack=ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,emu1:LOGEMU
 +</file>
  
 +This **stack** definition in the ulog2 configuration file defines a **pipeline of processing modules** that handle network flow data. Each module in the stack performs a specific transformation or logging function. Every stack definition requires:
 +
 +  - One input plugin
 +  - None, one or multiple filter plugins
 +  - One output plugin
 +
 +Each plugin module in the stack is referenced with an **instance_name**:**module_type**, where the //instance_name// is an arbitrary string used to identify that specific instance of the //module_type//. The //instance_name// is used also to configure the instance in the same configuration file.
 +
 +Here's a breakdown of the components in the stack defined above:
 +
 +  - **ct1:NFCT**
 +    * ''NFCT'' stands for **Netfilter Connection Tracking**.
 +    * This input plogin module extracts connection tracking (conntrack) information from packets, such as session state, source/destination IPs, and ports.
 +  - **ip2str1:IP2STR**
 +    * ''IP2STR'' converts IP addresses into human-readable string representations.
 +    * This ensures that logs display IP addresses in standard notation instead of numerical or binary formats.
 +  - **print1:PRINTFLOW**
 +    * ''PRINTFLOW'' formats and prints the logged packet or flow information.  
 +    * This is useful for debugging or human-readable log output.
 +  - **emu1:LOGEMU**
 +    * ''LOGEMU'' refers to a custom logging output (generally referred as a //logging emulator//).
 +    * This is the output plugin module which is responsible for sending logs to a file, database, or another destination.
 +
 +=== Configuring the NFCT Netfilter Connection Tracking ===
 +
 +The //instance_name// **ct1** is used in the same configuration file to configure the NFCT module (which interfaces with the **nfnetlink_conntrack** kernel subsystem).
 +
 +<file>
 [ct1] [ct1]
 event_mask=0x00000001 event_mask=0x00000001
Line 17: Line 47:
 </file> </file>
  
-=== /etc/logrotate.d/ulogd2 ===+In this case the module will consider only **new connections** packets because the bitmask 0x00000001 matches new connections only. The option ''hash_enable=0'' means that no memory will be used to track connections, this will in the other and, slow down the processing of packets. 
 + 
 +=== The IP2STR and PRINTFLOW modules === 
 + 
 +These two modules are used at their defaults, no custom configuration is used for their instances. 
 + 
 +=== The LOGEMU module === 
 + 
 +The **LOGEMU** modules is configured as follow in the same configuration file: 
 + 
 +<code> 
 +[emu1] 
 +file="/var/log/ulog/syslogemu.log" 
 +sync=1 
 +</code> 
 + 
 +This means that the log is written in the specified file, every log entry is flushed immediately to the disk due the ''sync=1'' option. 
 + 
 +==== Bitmask Breakdown of event_mask in NFCT ==== 
 + 
 +^ Bit Position  ^ Hex Value  ^ Decimal Value  ^ Event Description 
 +|     0 |  0x00000001 |    1 | **New connection** (conntrack entry created) 
 +|     1 |  0x00000002 |    2 | **Connection update** (state changes, e.g., from SYN_SENT to ESTABLISHED) 
 +|     2 |  0x00000004 |    4 | **Destroyed connection** (entry removed from conntrack table) 
 +|     3 |  0x00000008 |    8 | **Assured connection** (fully established, unlikely to be dropped) 
 +|     4 |  0x00000010 |   16 | **Confirmed connection** (packet has been seen in both directions) 
 +|     5 |  0x00000020 |   32 | **Expectation event** (related to NAT helper expectations) 
 +|     6 |  0x00000040 |   64 | **Helper event** (connection helper activity, e.g., FTP, SIP)  | 
 +|     7 |  0x00000080 |  128 | **Destroy by GC** (garbage collector removed the connection) 
 +|  8-31 |           - |    - | (Reserved or unused in most implementations) 
 + 
 +So if I want to track new and destroyed connections, the event_mask mus be set to 0x00000001 + 0x00000004 = 0x00000005. 
 + 
 +==== Logging bytes_sent and bytes_received ==== 
 + 
 +Check that conntrack has the **bytes=** field in this output: 
 + 
 +<code> 
 +conntrack -L -o extended 
 +</code> 
 + 
 +Run the following: 
 + 
 +<code> 
 +sysctl -w net.netfilter.nf_conntrack_acct=1 
 +</code> 
 + 
 +for permanent setting across reboot create the file **/etc/sysctl.d/99-nf_conntrack_acct.conf** with: 
 + 
 +<file> 
 +net.netfilter.nf_conntrack_acct=1 
 +</file> 
 + 
 + 
 + 
 +==== /etc/logrotate.d/ulogd2 ====
  
 <code> <code>
doc/appunti/linux/sa/ulogd2.1739809281.txt.gz · Last modified: by niccolo