From: Michael Tremer Date: Mon, 9 Feb 2009 16:06:11 +0000 (+0100) Subject: Added some nice ulogd config. X-Git-Tag: v3.0-alpha1~14^2~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d396479281f3ec2f20b36a335fabd08103c02342;p=ipfire-3.x.git Added some nice ulogd config. --- diff --git a/config/ulogd2/sqlite3.table b/config/ulogd2/sqlite3.table new file mode 100644 index 000000000..200a4c415 --- /dev/null +++ b/config/ulogd2/sqlite3.table @@ -0,0 +1,21 @@ +CREATE TABLE ulog ( + raw_mac VARCHAR(80), + oob_time_sec INT UNSIGNED, + oob_time_usec INT UNSIGNED, + ip_saddr INT UNSIGNED, + ip_daddr INT UNSIGNED, + ip_protocol TINYINT UNSIGNED, + ip_totlen SMALLINT UNSIGNED, + tcp_sport SMALLINT UNSIGNED, + tcp_dport SMALLINT UNSIGNED, + udp_sport SMALLINT UNSIGNED, + udp_dport SMALLINT UNSIGNED, + udp_len SMALLINT UNSIGNED, + icmp_type TINYINT UNSIGNED, + icmp_code TINYINT UNSIGNED, + icmp_echoid SMALLINT UNSIGNED, + icmp_echoseq SMALLINT UNSIGNED, + icmp_gateway INT UNSIGNED, + icmp_fragmtu SMALLINT UNSIGNED + ); + diff --git a/config/ulogd2/ulogd.conf b/config/ulogd2/ulogd.conf new file mode 100644 index 000000000..4806009b0 --- /dev/null +++ b/config/ulogd2/ulogd.conf @@ -0,0 +1,154 @@ +# IPFire configuration for ulogd + +[global] +###################################################################### +# GLOBAL OPTIONS +###################################################################### + +# logfile for status messages +logfile="/var/log/ulogd/ulogd.log" + +# loglevel: debug(1), info(3), notice(5), error(7) or fatal(8) +loglevel=1 + +###################################################################### +# PLUGIN OPTIONS +###################################################################### + +# We have to configure and load all the plugins we want to use + +# general rules: +# 1. load the plugins _first_ from the global section +# 2. options for each plugin in seperate section below + +plugin="/usr/lib/ulogd/ulogd_inppkt_NFLOG.so" +#plugin="/usr/lib/ulogd/ulogd_inppkt_ULOG.so" +plugin="/usr/lib/ulogd/ulogd_inpflow_NFCT.so" +plugin="/usr/lib/ulogd/ulogd_filter_IFINDEX.so" +plugin="/usr/lib/ulogd/ulogd_filter_IP2STR.so" +plugin="/usr/lib/ulogd/ulogd_filter_IP2BIN.so" +plugin="/usr/lib/ulogd/ulogd_filter_PRINTPKT.so" +plugin="/usr/lib/ulogd/ulogd_filter_HWHDR.so" +plugin="/usr/lib/ulogd/ulogd_filter_PRINTFLOW.so" +#plugin="/usr/lib/ulogd/ulogd_filter_MARK.so" +#plugin="/usr/lib/ulogd/ulogd_output_LOGEMU.so" +plugin="/usr/lib/ulogd/ulogd_output_SYSLOG.so" +#plugin="/usr/lib/ulogd/ulogd_output_OPRINT.so" +#plugin="/usr/lib/ulogd/ulogd_output_NACCT.so" +#plugin="/usr/lib/ulogd/ulogd_output_PCAP.so" +#plugin="/usr/lib/ulogd/ulogd_output_PGSQL.so" +#plugin="/usr/lib/ulogd/ulogd_output_MYSQL.so" +#plugin="/usr/lib/ulogd/ulogd_output_DBI.so" +plugin="/usr/lib/ulogd/ulogd_output_SQLITE3.so" +plugin="/usr/lib/ulogd/ulogd_raw2packet_BASE.so" + +# this is a stack for logging packet send by system via LOGEMU +#stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU + +# this is a stack for packet-based logging via LOGEMU +#stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU + +# this is a stack for ULOG packet-based logging via LOGEMU +#stack=ulog1:ULOG,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU + +# this is a stack for packet-based logging via LOGEMU with filtering on MARK +#stack=log2:NFLOG,mark1:MARK,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU + +# this is a stack for flow-based logging via LOGEMU +#stack=ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,emu1:LOGEMU + +# this is a stack for flow-based logging via OPRINT +#stack=ct1:NFCT,op1:OPRINT + +# this is a stack for NFLOG packet-based logging to PCAP +#stack=log2:NFLOG,base1:BASE,pcap1:PCAP + +# this is a stack for logging packet to MySQL +#stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2bin1:IP2BIN,mac2str1:HWHDR,mysql1:MYSQL + +# this is a stack for logging packet to PGsql after a collect via NFLOG +#stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:HWHDR,pgsql1:PGSQL + +# this is a stack for logging packets to syslog after a collect via NFLOG +#stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG + +# this is a stack for flow-based logging to MySQL +#stack=ct1:NFCT,ip2bin1:IP2BIN,mysql2:MYSQL + +# this is a stack for flow-based logging to PGSQL +#stack=ct1:NFCT,ip2str1:IP2STR,pgsql2:PGSQL + +# this is a stack for flow-based logging to PGSQL without local hash +#stack=ct1:NFCT,ip2str1:IP2STR,pgsql3:PGSQL + + +# this is a stack for flow-based logging in NACCT compatible format +#stack=ct1:NFCT,ip2str1:IP2STR,nacct1:NACCT + +[ct1] +#netlink_socket_buffer_size=217088 +#netlink_socket_buffer_maxsize=1085440 + +[ct2] +#netlink_socket_buffer_size=217088 +#netlink_socket_buffer_maxsize=1085440 +hash_enable=0 + +# Logging of system packet through NFLOG +[log1] +# netlink multicast group (the same as the iptables --nflog-group param) +# Group O is used by the kernel to log connection tracking invalid message +group=0 +#netlink_socket_buffer_size=217088 +#netlink_socket_buffer_maxsize=1085440 +# set number of packet to queue inside kernel +#netlink_qthreshold=1 +# set the delay before flushing packet in the queue inside kernel (in ms) +#netlink_qtimeout=1000 + +# packet logging through NFLOG for group 1 +[log2] +# netlink multicast group (the same as the iptables --nflog-group param) +group=1 # Group has to be different from the one use in log1 +#netlink_socket_buffer_size=217088 +#netlink_socket_buffer_maxsize=1085440 +# If your kernel is older than 2.6.29 and if a NFLOG input plugin with +# group 0 is not used by any stack, you need to have at least one NFLOG +# input plugin with bind set to 1. If you don't do that you may not +# receive any message from the kernel. +#bind=1 + +# packet logging through NFLOG for group 2, numeric_label is +# set to 1 +[log3] +# netlink multicast group (the same as the iptables --nflog-group param) +group=2 # Group has to be different from the one use in log1/log2 +numeric_label=1 # you can label the log info based on the packet verdict +#netlink_socket_buffer_size=217088 +#netlink_socket_buffer_maxsize=1085440 +#bind=1 + +[ulog1] +# netlink multicast group (the same as the iptables --ulog-nlgroup param) +nlgroup=1 +#numeric_label=0 # optional argument + +[emu1] +file="/var/log/ulogd_syslogemu.log" +sync=1 + +[op1] +file="/var/log/ulogd_oprint.log" +sync=1 + +[pcap1] +sync=1 + +[sys2] +facility=LOG_LOCAL2 + +[nacct1] +sync = 1 + +[mark1] +mark = 1 diff --git a/config/ulogd2/ulogd.logrotate b/config/ulogd2/ulogd.logrotate new file mode 100644 index 000000000..b3fb6d12d --- /dev/null +++ b/config/ulogd2/ulogd.logrotate @@ -0,0 +1,7 @@ +/var/log/ulogd.log /var/log/ulogd.syslogemu /var/log/ulogd.pktlog /var/log/ulogd.pcap { + missingok + sharedscripts + postrotate + /bin/killall -HUP ulogd 2> /dev/null || true + endscript +} diff --git a/lfs/ulogd2 b/lfs/ulogd2 index b2798b7e3..a7aac6188 100644 --- a/lfs/ulogd2 +++ b/lfs/ulogd2 @@ -61,8 +61,12 @@ $(OBJECT) : ./configure \ $(CONFIGURE_ARCH) \ --prefix=/usr \ + --sysconfdir=/etc \ --disable-static cd $(DIR_APP) && make $(PARALLELISMFLAGS) cd $(DIR_APP) && make install + cp -vf $(DIR_CONFIG)/$(PKG_NAME)/ulogd.conf /etc/ulogd.conf + -mkdir -pv /var/log/ulogd + sqlite3 -echo /var/log/ulogd/ulogd.db < $(DIR_CONFIG)/$(PKG_NAME)/sqlite3.table @rm -rf $(DIR_APP) @$(POSTBUILD)