--- /dev/null
+diff --git a/output/sqlite3/ulogd_output_SQLITE3.c b/output/sqlite3/ulogd_output_SQLITE3.c
+index 5c49055..e3eff6f 100644
+--- a/output/sqlite3/ulogd_output_SQLITE3.c
++++ b/output/sqlite3/ulogd_output_SQLITE3.c
+@@ -212,7 +212,8 @@ sqlite3_interp(struct ulogd_pluginstance *pi)
+ return ULOGD_IRET_OK;
+
+ err_bind:
+- ulogd_log(ULOGD_ERROR, "SQLITE: bind: %s\n", sqlite3_errmsg(priv->dbh));
++ ulogd_log(ULOGD_ERROR, "SQLITE: bind: %s (field: %s)\n", sqlite3_errmsg(priv->dbh),
++ f->key->name);
+
+ return ULOGD_IRET_ERR;
+ }
+@@ -353,8 +354,10 @@ sqlite3_init_db(struct ulogd_pluginstance *pi)
+ }
+ strncpy(f->name, buf, ULOGD_MAX_KEYLEN);
+
+- if ((f->key = ulogd_find_key(pi, buf)) == NULL)
++ if ((f->key = ulogd_find_key(pi, buf)) == NULL) {
++ ulogd_log(ULOGD_ERROR, "SQLITE3: Could not find field %s\n", buf);
+ return -1;
++ }
+
+ TAILQ_INSERT_TAIL(&priv->fields, f, link);
+ }
-CREATE TABLE ulog (
- raw_mac VARCHAR(80),
- oob_time_sec INT UNSIGNED,
- oob_time_usec INT UNSIGNED,
- ip_saddr INT UNSIGNED,
- ip_daddr INT UNSIGNED,
- ip_protocol TINYINT UNSIGNED,
- ip_totlen SMALLINT UNSIGNED,
- tcp_sport SMALLINT UNSIGNED,
- tcp_dport SMALLINT UNSIGNED,
- udp_sport SMALLINT UNSIGNED,
- udp_dport SMALLINT UNSIGNED,
- udp_len SMALLINT UNSIGNED,
- icmp_type TINYINT UNSIGNED,
- icmp_code TINYINT UNSIGNED,
- icmp_echoid SMALLINT UNSIGNED,
- icmp_echoseq SMALLINT UNSIGNED,
- icmp_gateway INT UNSIGNED,
- icmp_fragmtu SMALLINT UNSIGNED
- );
+CREATE TABLE hits (
+ oob_time_sec INTEGER NOT NULL,
+ oob_time_usec INTEGER NOT NULL,
+ oob_hook INTEGER,
+ oob_prefix TEXT,
+ mac_saddr_str TEXT,
+ mac_daddr_str TEXT,
+ oob_in TEXT,
+ oob_out TEXT,
+ oob_family INTEGER,
+ oob_protocol INTEGER,
+ oob_uid INTEGER,
+ oob_gid INTEGER,
+ oob_mark INTEGER,
+ ip_saddr BLOB,
+ ip_saddr_str TEXT,
+ ip_daddr BLOB,
+ ip_daddr_str TEXT,
+ ip_protocol INTEGER,
+ ip_tos INTEGER,
+ ip_ttl INTEGER,
+ ip_totlen INTEGER,
+ ip_id INTEGER,
+ ip_fragoff INTEGER,
+ ip6_payloadlen INTEGER,
+ ip6_priority INTEGER,
+ ip6_hoplimit INTEGER,
+ ip6_flowlabel INTEGER,
+ ip6_nexthdr INTEGER,
+ ip6_fragoff INTEGER,
+ ip6_fragid INTEGER,
+ tcp_sport INTEGER,
+ tcp_dport INTEGER,
+ tcp_seq INTEGER,
+ tcp_ackseq INTEGER,
+ tcp_window INTEGER,
+ tcp_syn INTEGER,
+ tcp_ack INTEGER,
+ tcp_rst INTEGER,
+ tcp_fin INTEGER,
+ tcp_urg INTEGER,
+ tcp_urgp INTEGER,
+ udp_sport INTEGER,
+ udp_dport INTEGER,
+ udp_len INTEGER,
+ icmp_type INTEGER,
+ icmp_code INTEGER,
+ icmp_echoid INTEGER,
+ icmp_echoseq INTEGER,
+ icmp_gateway INTEGER,
+ icmp_fragmtu INTEGER,
+ icmpv6_type INTEGER,
+ icmpv6_code INTEGER,
+ icmpv6_echoid INTEGER,
+ icmpv6_echoseq INTEGER,
+ icmpv6_csum INTEGER,
+ ahesp_spi INTEGER,
+ arp_hwtype INTEGER,
+ arp_protocoltype INTEGER,
+ arp_operation INTEGER,
+ arp_shwaddr BLOB,
+ arp_saddr_str TEXT,
+ arp_dhwaddr BLOB,
+ arp_daddr_str TEXT,
+ sctp_sport INTEGER,
+ sctp_dport INTEGER,
+ sctp_csum INTEGER
+);
+CREATE INDEX hits_time ON hits(oob_time_sec);
+CREATE INDEX hits_prefix ON hits(oob_prefix);
+CREATE INDEX hits_oob_family ON hits(oob_family);
+
+/* Layer 2 - MAC addresses */
+CREATE INDEX hits_mac_saddr ON hits(mac_saddr_str);
+CREATE INDEX hits_mac_daddr ON hits(mac_daddr_str);
+
+/* Layer 3 - IP */
+CREATE INDEX hits_ip_saddr ON hits(ip_saddr);
+CREATE INDEX hits_ip_daddr ON hits(ip_daddr);
+CREATE INDEX hits_ip_protocol ON hits(ip_protocol);
+
+/* Layer 4 protocols */
+CREATE INDEX hits_tcp_sport ON hits(tcp_sport);
+CREATE INDEX hits_tcp_dport ON hits(tcp_dport);
+CREATE INDEX hits_udp_sport ON hits(udp_sport);
+CREATE INDEX hits_udp_dport ON hits(udp_dport);
+CREATE INDEX hits_sctp_sport ON hits(sctp_sport);
+CREATE INDEX hits_sctp_dport ON hits(sctp_dport);
+
+CREATE INDEX hits_icmpv6_type ON hits(icmpv6_type);
+CREATE INDEX hits_icmp_type ON hits(icmp_type);
+
+CREATE TABLE flows (
+ flow_start_sec INTEGER,
+ flow_start_usec INTEGER,
+ flow_end_sec INTEGER,
+ flow_end_usec INTEGER,
+ orig_ip_saddr BLOB NOT NULL,
+ orig_ip_saddr_str TEXT NOT NULL,
+ orig_ip_daddr BLOB NOT NULL,
+ orig_ip_daddr_str TEXT NOT NULL,
+ orig_ip_protocol INTEGER NOT NULL,
+ orig_l4_sport INTEGER,
+ orig_l4_dport INTEGER,
+ orig_raw_pktcount INTEGER NOT NULL,
+ orig_raw_pktlen INTEGER NOT NULL,
+ reply_ip_saddr BLOB NOT NULL,
+ reply_ip_saddr_str BLOB NOT NULL,
+ reply_ip_daddr BLOB NOT NULL,
+ reply_ip_daddr_str BLOB NOT NULL,
+ reply_ip_protocol INTEGER NOT NULL,
+ reply_l4_sport INTEGER,
+ reply_l4_dport INTEGER,
+ reply_raw_pktcount INTEGER NOT NULL,
+ reply_raw_pktlen INTEGER NOT NULL,
+ icmp_code INTEGER,
+ icmp_type INTEGER,
+ ct_id INTEGER NOT NULL,
+ ct_event INTEGER NOT NULL,
+ ct_mark INTEGER
+);
+
+CREATE INDEX flows_ip_saddr ON flows(orig_ip_saddr);
+CREATE INDEX flows_ip_daddr ON flows(orig_ip_daddr);
+CREATE INDEX flows_ip_protocol ON flows(orig_ip_protocol);
# GLOBAL OPTIONS
######################################################################
-# logfile for status messages
-logfile="/var/log/ulogd/ulogd.log"
-
# loglevel: debug(1), info(3), notice(5), error(7) or fatal(8)
loglevel=7
# 2. options for each plugin in seperate section below
plugin="/usr/lib/ulogd/ulogd_inppkt_NFLOG.so"
-plugin="/usr/lib/ulogd/ulogd_inppkt_ULOG.so"
+#plugin="/usr/lib/ulogd/ulogd_inppkt_ULOG.so"
plugin="/usr/lib/ulogd/ulogd_inpflow_NFCT.so"
plugin="/usr/lib/ulogd/ulogd_filter_IFINDEX.so"
plugin="/usr/lib/ulogd/ulogd_filter_IP2STR.so"
plugin="/usr/lib/ulogd/ulogd_filter_HWHDR.so"
plugin="/usr/lib/ulogd/ulogd_filter_PRINTFLOW.so"
#plugin="/usr/lib/ulogd/ulogd_filter_MARK.so"
-plugin="/usr/lib/ulogd/ulogd_output_LOGEMU.so"
+#plugin="/usr/lib/ulogd/ulogd_output_LOGEMU.so"
plugin="/usr/lib/ulogd/ulogd_output_SYSLOG.so"
#plugin="/usr/lib/ulogd/ulogd_output_OPRINT.so"
#plugin="/usr/lib/ulogd/ulogd_output_NACCT.so"
plugin="/usr/lib/ulogd/ulogd_output_SQLITE3.so"
plugin="/usr/lib/ulogd/ulogd_raw2packet_BASE.so"
-# this is a stack for logging packet send by system via LOGEMU
-stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
-
-# this is a stack for NFLOG packet-based logging to PCAP
-#stack=log1:NFLOG,base1:BASE,pcap1:PCAP
-
-# this is a stack for logging packet to sqlite
-#stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2bin1:IP2BIN,mac2str1:HWHDR,sqlite1:SQLITE3
+# Log packets
+stack=src-pkt:NFLOG,base:BASE,ifindex:IFINDEX,ip2str:IP2STR,hw:HWHDR,db-packets:SQLITE3
+stack=src-pkt:NFLOG,base:BASE,ifindex:IFINDEX,ip2str:IP2STR,print:PRINTPKT,syslog:SYSLOG
-# this is a stack for logging packets to syslog after a collect via NFLOG
-#stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG
+# Log connection tracking events
+stack=src-ct:NFCT,ip2bin:IP2BIN,ip2str:IP2STR,print-flow:PRINTFLOW,db-flows:SQLITE3
-# Logging of system packet through NFLOG
-[log1]
-# netlink multicast group (the same as the iptables --nflog-group param)
-# Group O is used by the kernel to log connection tracking invalid message
+[src-pkt]
group=0
-#netlink_socket_buffer_size=217088
-#netlink_socket_buffer_maxsize=1085440
-# set number of packet to queue inside kernel
-#netlink_qthreshold=1
-# set the delay before flushing packet in the queue inside kernel (in ms)
-#netlink_qtimeout=1000
bind=1
-[emu1]
-file="/var/log/ulogd/syslogemu.log"
-sync=1
+[src-ct]
+# Only receive DESTROY events
+event_mask=0x00000004
+hash_enable=1
-[pcap1]
-sync=1
+[db-packets]
+db=/var/lib/ulogd/ulogd.db
+table=hits
-[sqlite1]
-db=/var/log/ulogd/ulogd.db
-table=ulog
+[db-flows]
+db=/var/lib/ulogd/ulogd.db
+table=flows
+++ /dev/null
-/var/log/ulogd.log /var/log/ulogd.syslogemu /var/log/ulogd.pktlog /var/log/ulogd.pcap {
- missingok
- sharedscripts
- postrotate
- /bin/killall -HUP ulogd 2> /dev/null || true
- endscript
-}
###############################################################################
name = ulogd2
-version = 2.0.4
+version = 2.0.5
release = 1
epoch = 1
# Set libdir to "/usr/lib" for every architecture to install the ulogd2 plugins
# to this folder.
configure_options+= \
- --sysconfdir=/etc \
--libdir=%{prefix}/lib
install_cmds
- mkdir -pv %{BUILDROOT}/etc
- cp -vf %{DIR_SOURCE}/ulogd.conf %{BUILDROOT}/etc/ulogd.conf
+ mkdir -pv %{BUILDROOT}%{sysconfdir}
+ cp -vf %{DIR_SOURCE}/ulogd.conf %{BUILDROOT}%{sysconfdir}/ulogd.conf
- mkdir -pv %{BUILDROOT}/var/log/ulogd
- sqlite3 -echo %{BUILDROOT}/var/log/ulogd/ulogd.db < %{DIR_SOURCE}/sqlite3.table
+ mkdir -pv %{BUILDROOT}%{sharedstatedir}/ulogd
+ sqlite3 -echo %{BUILDROOT}%{sharedstatedir}/ulogd/ulogd.db \
+ < %{DIR_SOURCE}/sqlite3.table
end
end
end
configfiles
- /etc/ulogd.conf
+ %{sysconfdir}/ulogd.conf
+ end
+
+ datafiles
+ %{sharedstatedir}/ulogd/ulogd.db
end
script postin
projects / people / ms / ipfire-3.x.git / commitdiff
