Eric Leblond [Fri, 7 Mar 2014 20:11:47 +0000 (21:11 +0100)]
json: use packet timestamp if available
This patch updates the JSON output plugin to have it use the
timestamp of the packet if available. The date format used
for the timestamp is now using ISO 8601 to have an easy
import in most software (tested with logstash and splunk).
Eric Leblond [Sat, 22 Feb 2014 13:05:56 +0000 (14:05 +0100)]
nfct: use start timestamp if provided
When hash table is not used, the start timestamp was not used even
if the kernel is sending it. This patch modifies the code to use it
when available. This allows to log connection with start and end
with a single message per connection and without the cost of
maintaining the hash table.
Eric Leblond [Tue, 4 Feb 2014 08:27:45 +0000 (09:27 +0100)]
ulogd: add carriage return as separator
If the file is in DOS mode, the string coming from config file
parsing are containing the carriage return. The result is that
string are not correct and the parsing of confuguration file
is failling.
Eric Leblond [Sun, 26 Jan 2014 16:05:29 +0000 (17:05 +0100)]
json: introduce new JSON output plugin
This patch introduces a new JSON output plugin. This
patch displays CIM field name instead of ulogd key valu
if this CIM field is available.
The module does not display binary address but uses the
string version of them. So a complete stack is for example:
stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:HWHDR,json1:JSON
If boolean_label is set to 1, then the numeric_label put on packet
by the input plugin is coding the decision on packet. If 0, then
packet has been blocked and if non null it has been accepted.
Eric Leblond [Sun, 26 Jan 2014 21:21:42 +0000 (22:21 +0100)]
store Common Information Model name in ulogd key
This patch adds storage for CIM field name in ulogd key. This
will be used by JSON output to interoperate with logging
collector such as logstash or splunk.
Common Information Model is an open standard that defines how managed
elements in an IT environment are represented as a common set of objects
and relationships between them:
http://www.dmtf.org/standards/cim
This seems to be mainly XML based but there is a JSON version of some
aspects of the model. One of the main documentation on CIM in JSON
format seems to be:
http://docs.splunk.com/Documentation/PCI/2.0/DataSource/CommonInformationModelFieldReference
Using the correct CIM field name allow events coming from ulogd to be
correlated with events coming from other sources.
Eric Leblond [Sat, 25 Jan 2014 11:51:49 +0000 (12:51 +0100)]
db: cancel injection thread when terminating
Injection thread was not cancelled when a termination signal was
sent. This was causing a crash in some cases. This patch fixes this
by canceling the thread when a SIGTERM or SIGINT signal is received.
Eric Leblond [Sat, 25 Jan 2014 11:26:38 +0000 (12:26 +0100)]
db: set ring default size to 0
As default size was non null, the ring system was activated by
default. It was only possible to desactivate the ring system
by setting it to ring_buffer_size to 0 in the configuration.
This was not the attended behavior. This patch set it to 0 to have
only explicit activation of the ring feature.
Eric Leblond [Sat, 25 Jan 2014 10:46:52 +0000 (11:46 +0100)]
util: fix warning on format string
pp_print macro was not correctly formatting u64. This patch renames
it to pp_print_u as it is only used to print integer. It also use
the PRIu* macros to have a correct format string for all integers
type.
Gustavo Zacarias [Tue, 10 Dec 2013 12:24:12 +0000 (09:24 -0300)]
ulogd: use AC_SEARCH_LIBS for libpthread
Some uClibc-based toolchains lack threading support, so use
AC_SEARCH_LIB instead of AC_CHECK_LIB to check for libpthread
availability and link conditionally if found since it's only used for
the database backends.
Chris Boot [Mon, 18 Nov 2013 11:09:14 +0000 (11:09 +0000)]
ulogd: ulogd_inppkt_NFLOG: close nflog handle after unbinding
The nflog handle is closed, and then nflog_unbind_pf() is called on it, which
triggers an assertion failure within libnfnetlink. This patch simply moves
the nflog_close() just after the nflog_unbind_pf() calls.
Eric Leblond [Tue, 28 May 2013 19:58:57 +0000 (21:58 +0200)]
pgsql: add var to specify arbitrary conn params
This patch adds a configuration variable for PostgreSQL output.
Named connstring it stores the character string that will be
used to connect to the PostgreSQL server. This allows the user
to use all options available like TLS parameters for example.
Eric Leblond [Sat, 18 May 2013 13:25:11 +0000 (15:25 +0200)]
Improve pid file handling.
This patch improves latest patch by splitting in two part the pid
file creation. This allows to display a message to stdout when
ulogd can not be started. Another linked improvement is that the
plugin initialization is not done if the pid file existence will
result in a ulogd exit.
Chris Boot [Sun, 12 May 2013 12:47:40 +0000 (13:47 +0100)]
ulogd: Implement PID file writing
The deamon currently does not have the ability to write a PID file to track its
process ID. This is very useful to an init script and to ensure there is only
one running instance. This patch implements this functionality.
Chris Boot [Sat, 11 May 2013 17:01:52 +0000 (18:01 +0100)]
ulogd: Perform nice() before giving up root
The daemon code currently tries to nice(-1) just after having given up root
privileges, which fails. This patch moves the nice(-1) call to just before
the code that gives up the required privileges.
Victor Julien [Fri, 5 Apr 2013 16:28:14 +0000 (18:28 +0200)]
Exec libmnl config check only if nfacct is enabled
In case nfacct is not enabled in ulogd2, libmnl is not used. So it shouldn't
be a hard global dependency, but instead only a dependency in case nfacct is
enabled.
Eric Leblond [Thu, 9 May 2013 09:20:37 +0000 (11:20 +0200)]
db: disable SIGHUP if ring buffer is used.
The handling of signal when using threads can be complicated. When
ring buffer is used for query, this means ulogd will have to follow
some sort of mutex. Thus, it is easier and better performance wise
to disable the reload via SIGHUP when the ring buffer is used.
Eric Leblond [Sat, 20 Apr 2013 10:44:17 +0000 (12:44 +0200)]
db: add ring buffer for DB query
This patch adds an optional ring buffer option which modify
the way database queries are made. The main thread is only handling
kernel message reading and query formatting. The SQL request is made
in a separate dedicated thread.
The idea is to try to avoid buffer overrun by minimizing the time
requested to treat kernel message. Doing synchronous SQL request, as
it was made before was causing a delay which could cause some messages
to be lost in case of burst from kernel side.
Eric Leblond [Sun, 17 Mar 2013 18:41:36 +0000 (19:41 +0100)]
db: store data in memory during database downtime
This patch is adding a mechanism to store query in a backlog build
in memory. This allow to store events during downtime in memory and
realize the effective insertion when the database comes back.
A memory cap is used to avoid any memory flooding.
Ilya Tumaykin [Wed, 20 Mar 2013 10:54:36 +0000 (14:54 +0400)]
Fix automagic support of dbi, pcap and sqlite3
ulogd has automagic deps for several output plugins right now, namely dbi,
pcap and sqlite3. These plugins are built if the appropriate libs are present
on user's system. While this situation is fine with binary distros it is not OK
on source-based ones such as Gentoo.
The problem arises when such a program links against libs without user's
request and libs are later removed from system which leaves program in a
broken state.
This patch is modifying configure.ac which we apply in our package and which
fixes mentioned issue. It adds 3 new configure options: --
without-{dbi,pcap.sqlite}. I would like to emphasize that this patch doesn't
change default behaviour of configure script at all, so all other distros won't
suffer. We simply add options to explicitly disable any attempts to try and
detect libs for automagic deps, which is enough to avoid unnecessary linkage.
Eric Leblond [Fri, 18 Jan 2013 18:41:19 +0000 (19:41 +0100)]
conf: add flag to allow option setup tuning
This patch adds a flag to the config_entry structure to be able to
tune setup. First usage is to ask config parser not to update a key
if it has been already set.
Eric Leblond [Sat, 24 Nov 2012 13:59:30 +0000 (14:59 +0100)]
nfct: add protocol filter
This patch adds a new configuration variable which is used to limit
conntrack event to connection of these protocols:
For example:
accept_proto_filter=tcp,sctp
Eric Leblond [Mon, 16 Jul 2012 21:03:39 +0000 (23:03 +0200)]
nfct: implement src and dst filter
This patch implements two filtering options in NFCT input plugin.
If 'accept_src_filter' is set to a network it will only catch the
event where the source is that specific network. 'accept_dst_filter'
does the same for the destination.
Eric Leblond [Fri, 21 Dec 2012 20:11:23 +0000 (21:11 +0100)]
Add GRAPHITE output module.
Graphite is a web application which provide real-time visualization
and storage of numeric time-series data. This patch adds a module
named GRAPHITE which sends NFACCT accounting data to a graphite
server.
Jan Engelhardt [Tue, 27 Nov 2012 12:45:44 +0000 (13:45 +0100)]
build: move remaining preprocessor flags into CPPFLAGS
The flags retrieved from `pkg-config --cflags ...` are generally only
preprocessor flags (mostly -I to point to the directories), since
anything else would inconvenience downstream users.
Jan Engelhardt [Tue, 27 Nov 2012 12:43:42 +0000 (13:43 +0100)]
build: avoid per-target CFLAGS
There is no harm in putting the includes in the global AM_CPPFLAGS;
this can generally save number of compilations of a file when a
source file is used multiple times.
Jan Engelhardt [Mon, 26 Nov 2012 23:52:28 +0000 (00:52 +0100)]
build: resolve compile error due to missing nfacct CPPFLAGS
Fixes this error:
make[3]: Entering directory "/home/jengelh/code/ulogd2/output"
CC ulogd_output_XML.lo
ulogd_output_XML.c:31:49: fatal error:
libnetfilter_acct/libnetfilter_acct.h: No such file or directory
(Note that pkgconfig-provided cflags are actually cppflags, so
I add ${LIBNETFILTER_ACCT_CFLAGS} to AM_CPPFLAGS.)
Jan Engelhardt [Mon, 26 Nov 2012 23:51:09 +0000 (00:51 +0100)]
build: resolve automake-1.12 warnings
/usr/share/automake-1.12/am/ltlibrary.am: warning:
'ulogd_output_SQLITE3.la': linking libtool libraries using a non-POSIX
archiver requires 'AM_PROG_AR' in 'configure.ac'
(one for each .la)
Eric Leblond [Sun, 4 Nov 2012 08:19:34 +0000 (09:19 +0100)]
XML: add missing include
Inclusion of libnetfilter_acct.h is not enough as the integer type
definition are not included in the header. So if NFCT is disable, the
compilation fails.
Eric Leblond [Fri, 2 Nov 2012 17:46:22 +0000 (18:46 +0100)]
configure: add flag to disable NFACCT build
It is now possible to pass the --disable-nfacct flag to disable
compilation of NFACCT input plugin. Doing this the build of ulogd
is possible on system where nfacct is not available.
Include Eric and myself in the copyright notice and the AUTHORS file
since we're the most recurrent contributors (of course, after the
original author of this software, Harald Welte).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Eric Leblond [Wed, 1 Aug 2012 11:27:16 +0000 (11:27 +0000)]
nfacct: add timestamp option
This patch adds a timestamp option to the nfacct plugin.
If activated, nfacct output a timestamp which is computed just
after sending the nfacct request.
Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
CC ulogd_inpflow_NFCT_la-ulogd_inpflow_NFCT.lo
ulogd_inpflow_NFCT.c: In function 'configure_nfct':
ulogd_inpflow_NFCT.c:977:28: warning: unused variable 'cpi' [-Wunused-variable]
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Eric Leblond [Wed, 1 Aug 2012 11:27:15 +0000 (11:27 +0000)]
pgsql: only disable key if it starts with underscore
ulogd2 was magically making inactive the first key of description
table. This patch improves this system by only doing so when
the key start with an undescore. This way, system like nfacct which
do not have a primary key can be implemented easily.
Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Eric Leblond [Wed, 1 Aug 2012 11:27:14 +0000 (11:27 +0000)]
pgsql schema: fix timestamp default value
Set timestamp default value to now() not now which is the time at
table creation.
Reported-by: Mr Dash Four <mr.dash.four@googlemail.com> Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Eric Leblond [Wed, 1 Aug 2012 11:27:12 +0000 (11:27 +0000)]
nfacct: add variable to not zero counter after read
The default nfacct input plugin zeroes counter after each read. This
is a limitation as other software can't use the counter at the same
time as ulogd2.
This patch adds the zerocounter variable to the NFACCT input plugin.
If set to zero, the counters are not zeroed.
Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Eric Leblond [Wed, 18 Jul 2012 20:56:04 +0000 (20:56 +0000)]
NFCT: fix crash in polling mode if used by two stacks
The polling timer initialisation code was put in the configurator
code. It was then created for all instances. But only first one has
a valid NFCT handle. This was resulting in a crash.
This patch moves the timer initialisation in the constructor which
is called only once on the main NFCT instance.
Signed-off-by: Eric Leblond <eric@regit.org> Reported-by: Gomathivinayagam Muthuvinayagam <sankarmail@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
projects / thirdparty / ulogd2.git / log
