This patch introduces a new plugin MAC2STR which is in charge
of conversion to string of MAC address. It is used by database
output plugin to store MAC related information.
This patch fixes a problem in SQL reconnection algorithm which is managed in
the db.c file for PgSQL and MySQL. In case of problem during request execution
a new connection to the database was immediatly started without closing the
previous one. The consequence was to block the database by having too much
simultaneous open connections.
This patch fixes the problem by disconnectinng from the database after a
request failure and trying to reconnect after a delay which is by default
of 2 secondes. This delay can be customized via the reconnect configuration
variable in the database configuration section.
This patch adds support of event type display in printflow filter. This is used
to display event type in textual output modules. Here's an output example:
This patch contains two linked modifications in NFCT input plugin:
- event mask is now configurable though the event_mask configuration variable
- event type is now stored in the ct.event output key. This can be used to
display the information or to use it to implement some tracking algorithm in
userspace.
This patch adds plist a linked list to the pluginstance
structure. It can be used by input modules to duplicate an
entry. This solves the issue of not being able to use the same
plugin instance twice.
IP2BIN filter convert IP address from host storage to a "binary" string which
can be use by MySQL. This is not strictly speaking raw data but it was of type
RAW.
Following remark from Hugo Mildenberger, I introduce in this patch a dedicated
type ULOGD_RET_RAWSTR. The main reason not to use a ULOGD_RET_STRING parameter
is that the paramater is not human readable.
This patch adds oob.hook to the list of fields export to the databases. This
adds the capability to know where the packet has been logged and will be used
to make a link between connection and logged packets.
This patch adds support for AF_BRIDGE to the PRINTPKT plugin, which allows to form log lines for packets coming from ebtables. Currently it supports IPv4, IPv6 and ARP.
Adds AF_BRIDGE and ARP header interpreter to BASE plugin
This patch adds an AF_BRIDGE interpreter to ulogd_raw2packet_BASE plugin, which allows to log packets coming from ebtables. It also adds an ARP header decoder.
Adds AF_BRIDGE and ARP header interpreter to BASE plugin
This patch adds an AF_BRIDGE interpreter to
ulogd_raw2packet_BASE plugin, which allows to log
packets coming from ebtables.
It also adds an ARP header decoder.
From: Eric Leblond <eric@inl.fr>
Some macros were defined several time. This was the case of GET_VALUE,
pp_is_valid. This patch puts the definition in ulogd.h and fixes the
definition of pp_is_valid which was wrong (causing segfault by acessing to
fields at NULL).
From: Eric Leblond <eric@inl.fr>
The treatment of the return of some functions from libnetfilter_log API was wrong and this was preventing some fields to be propagated through the stack.
This patch adds some examples of stack to the configuration file.
It also fixes some comments to avoid confusion. IP2BIN has been
added to the list of loaded modules.
When using NFLOG or ULOG, obb.family (protocol IPv4 or IPv6) has
to be setup manually in ulogd.conf configuration file. This is
used by the BASE filter to properly parse the packet. This
patch suppress oob.family as output keys of NFLOG and ULOG and let
the BASE filter determine the family of the packet by itself (by
parsing the raw header).
A good side effect is to be able to log in IPv6 and IPv4 in the
same group. Before that, two loggers have to be setup separatly.
From Eric Leblond <eric@inl.fr>:
This patch modify ulogd_filter_IFINDEX to use libnfnetlink for index to
interface name mapping instead of using local version. This requires at least
libnfnetlink 0.0.30. This dependancy is checked in configure (thanks to
Sebastien Tricaud for his patch).
From: Pierre Chifflier <chifflier@inl.fr>
This patch adds oob_family to the schema. Thus it is now possible to easily select IPv4 or IPv6 entries in the database. This patch also explicitly selects fields to create view.
From: Eric leblond <eric@inl.fr>
This module convert IP from internal notation to a string in binary notation
which is used by the MySQL output plugin.
From: Eric leblond <eric@inl.fr>
- This patch suppress key relative to IPv6 address because IPv4 and IPv6 can be stored in the same key.
- Add missing IP2STR line to ulogd.conf.in
This module is a generic module which is used to convert an IP from internal representation to string representation. This is a task needed by several modules like printpkt or pgsql. This module factorizes the code.
From: Eric Leblond <eric@inl.fr>:
For OPRINT, changed sighup_handler_print to fallback to continue using old descriptor on new file opening failure.
Based on Marius Tomaschewski work.
From: Eric Leblond <eric@inl.fr>:
Added explicit null termination of the hostname buffer
This patch is a backport of Marius Tomaschewski <mt@suse.de> work on ulogd.
From: Eric leblond <eric@inl.fr>
It is difficult to find how to configure a plugin. This patch adds an info
option which can be used to display:
* Name
* Configuration variables
* Input keys
* Output keys
This patch adds new SQL schema for MySQL and PGsql. The goal is to improve the one line per entry format. There is no more a big table with all fields because this sort of storage is causing bad performance (databases don't like to have a lot of NULL fields to store).
Main changes are :
* Add new schema for MySQL and PGsql
* Use call to configurable procedure in SQL OUTPUT modules
* Arguments of a procedure are given by the list of fields of a selected table
The following patch fixes MySQL and Pgsql output modules.
The callback function was not correctly initialized and this was leading
to a crash by calling the a NULL function. This patch correctly inits
the callback.
[PATCH 5/5] stores the converted syslog parameters set within config file
This patch stores the converted values from the configuration file
into the syslog instance structure.
Otherwise configuration parameters are senseless and only the
default values will be used.
This is a workaround which prevents ulogd from logging each
time when recvfrom() returns error because of EAGAIN.
Since the netlink socket is now O_NONBLOCK, we probably run
into the following bug:
http://bugzilla.kernel.org/show_bug.cgi?id=5498
which causes recvfrom() get an error when select() had a good
return, whenever select() receives a packet with a bad checksum.
ipulog_read() always has this problem once after every successful
ipulog_read().
Signed-off-by: Peter Warasin <peter@endian.com>
[Note: this is not a workaround but correct handling of EAGAIN
on a non-blocking socket. -Patrick]
[PATCH 3/5] Logs also ipulog_strerror() and strerror() within ULOG plugin
This patch logs also the string representations ipulog:_strerror()
and strerror() when an error occurred during receivement of packets
within the ULOG plugin
[PATCH 1/5] openlog() to syslog for global ulogd log messages
When [global]'s logfile is syslog, ulogd should log it's own
mesasages (not the firewall log lines) to syslog, which it
does'nt because openlog() is missing. This patch adds openlog()
Eric Leblond <eric@inl.fr>
- add a call to autoheader which is needed to compile ulogd2 from subversion.
- add a warning message to ulogd2 when it exits on error. It simply tell to look at the configuration file.
- add an empty section which is needed to have NFCT logging
working.
Add IPv6 support, fix a few incorrect key assignments and make sure this doesn't
repeat by using symbolic names to make sure the assignment matches the array
index.
Move the printpkt functionality out of SYSLOG and LOGEMU, and into
a separate PRINTPKT plugin. This reduces code duplication, and also
makes the SYSLOG and LOGEMU plugins more general. (Philip Craig)
move definition of ULOGD_LOGFILE_DEFAULT and ULOGD_CONFIGFILE to Makefile.am,
Set default config and log files based on configure.
Note that these defines cannot be placed in config.h, since they
depend on the prefix, which must be expanded by make. (Philip Craig)
configure --without-pgsql" or "configure --with-pgsql=no" should
force the pgsql plugin to be disabled. Same for mysql, pcap and sqlite3.
(Philip Craig)
projects / thirdparty / ulogd2.git / log
