ulogd2: Update to version 2.0.5

This package adds logging of the flows and packets to an sqlite
database that can be used to get statistical output.

Logging to syslog as known from IPFire 2 has been added as well
but is only temporary until there is a way to view the logged
packets on the console.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This commit is contained in:
Michael Tremer 2015-06-08 13:12:24 +00:00
parent 3f933e235d
commit ce284ff341
5 changed files with 180 additions and 67 deletions

View File

@ -0,0 +1,26 @@
diff --git a/output/sqlite3/ulogd_output_SQLITE3.c b/output/sqlite3/ulogd_output_SQLITE3.c
index 5c49055..e3eff6f 100644
--- a/output/sqlite3/ulogd_output_SQLITE3.c
+++ b/output/sqlite3/ulogd_output_SQLITE3.c
@@ -212,7 +212,8 @@ sqlite3_interp(struct ulogd_pluginstance *pi)
return ULOGD_IRET_OK;
err_bind:
- ulogd_log(ULOGD_ERROR, "SQLITE: bind: %s\n", sqlite3_errmsg(priv->dbh));
+ ulogd_log(ULOGD_ERROR, "SQLITE: bind: %s (field: %s)\n", sqlite3_errmsg(priv->dbh),
+ f->key->name);
return ULOGD_IRET_ERR;
}
@@ -353,8 +354,10 @@ sqlite3_init_db(struct ulogd_pluginstance *pi)
}
strncpy(f->name, buf, ULOGD_MAX_KEYLEN);
- if ((f->key = ulogd_find_key(pi, buf)) == NULL)
+ if ((f->key = ulogd_find_key(pi, buf)) == NULL) {
+ ulogd_log(ULOGD_ERROR, "SQLITE3: Could not find field %s\n", buf);
return -1;
+ }
TAILQ_INSERT_TAIL(&priv->fields, f, link);
}

View File

@ -1,21 +1,126 @@
CREATE TABLE ulog ( CREATE TABLE hits (
raw_mac VARCHAR(80), oob_time_sec INTEGER NOT NULL,
oob_time_sec INT UNSIGNED, oob_time_usec INTEGER NOT NULL,
oob_time_usec INT UNSIGNED, oob_hook INTEGER,
ip_saddr INT UNSIGNED, oob_prefix TEXT,
ip_daddr INT UNSIGNED, mac_saddr_str TEXT,
ip_protocol TINYINT UNSIGNED, mac_daddr_str TEXT,
ip_totlen SMALLINT UNSIGNED, oob_in TEXT,
tcp_sport SMALLINT UNSIGNED, oob_out TEXT,
tcp_dport SMALLINT UNSIGNED, oob_family INTEGER,
udp_sport SMALLINT UNSIGNED, oob_protocol INTEGER,
udp_dport SMALLINT UNSIGNED, oob_uid INTEGER,
udp_len SMALLINT UNSIGNED, oob_gid INTEGER,
icmp_type TINYINT UNSIGNED, oob_mark INTEGER,
icmp_code TINYINT UNSIGNED, ip_saddr BLOB,
icmp_echoid SMALLINT UNSIGNED, ip_saddr_str TEXT,
icmp_echoseq SMALLINT UNSIGNED, ip_daddr BLOB,
icmp_gateway INT UNSIGNED, ip_daddr_str TEXT,
icmp_fragmtu SMALLINT UNSIGNED ip_protocol INTEGER,
); ip_tos INTEGER,
ip_ttl INTEGER,
ip_totlen INTEGER,
ip_id INTEGER,
ip_fragoff INTEGER,
ip6_payloadlen INTEGER,
ip6_priority INTEGER,
ip6_hoplimit INTEGER,
ip6_flowlabel INTEGER,
ip6_nexthdr INTEGER,
ip6_fragoff INTEGER,
ip6_fragid INTEGER,
tcp_sport INTEGER,
tcp_dport INTEGER,
tcp_seq INTEGER,
tcp_ackseq INTEGER,
tcp_window INTEGER,
tcp_syn INTEGER,
tcp_ack INTEGER,
tcp_rst INTEGER,
tcp_fin INTEGER,
tcp_urg INTEGER,
tcp_urgp INTEGER,
udp_sport INTEGER,
udp_dport INTEGER,
udp_len INTEGER,
icmp_type INTEGER,
icmp_code INTEGER,
icmp_echoid INTEGER,
icmp_echoseq INTEGER,
icmp_gateway INTEGER,
icmp_fragmtu INTEGER,
icmpv6_type INTEGER,
icmpv6_code INTEGER,
icmpv6_echoid INTEGER,
icmpv6_echoseq INTEGER,
icmpv6_csum INTEGER,
ahesp_spi INTEGER,
arp_hwtype INTEGER,
arp_protocoltype INTEGER,
arp_operation INTEGER,
arp_shwaddr BLOB,
arp_saddr_str TEXT,
arp_dhwaddr BLOB,
arp_daddr_str TEXT,
sctp_sport INTEGER,
sctp_dport INTEGER,
sctp_csum INTEGER
);
CREATE INDEX hits_time ON hits(oob_time_sec);
CREATE INDEX hits_prefix ON hits(oob_prefix);
CREATE INDEX hits_oob_family ON hits(oob_family);
/* Layer 2 - MAC addresses */
CREATE INDEX hits_mac_saddr ON hits(mac_saddr_str);
CREATE INDEX hits_mac_daddr ON hits(mac_daddr_str);
/* Layer 3 - IP */
CREATE INDEX hits_ip_saddr ON hits(ip_saddr);
CREATE INDEX hits_ip_daddr ON hits(ip_daddr);
CREATE INDEX hits_ip_protocol ON hits(ip_protocol);
/* Layer 4 protocols */
CREATE INDEX hits_tcp_sport ON hits(tcp_sport);
CREATE INDEX hits_tcp_dport ON hits(tcp_dport);
CREATE INDEX hits_udp_sport ON hits(udp_sport);
CREATE INDEX hits_udp_dport ON hits(udp_dport);
CREATE INDEX hits_sctp_sport ON hits(sctp_sport);
CREATE INDEX hits_sctp_dport ON hits(sctp_dport);
CREATE INDEX hits_icmpv6_type ON hits(icmpv6_type);
CREATE INDEX hits_icmp_type ON hits(icmp_type);
CREATE TABLE flows (
flow_start_sec INTEGER,
flow_start_usec INTEGER,
flow_end_sec INTEGER,
flow_end_usec INTEGER,
orig_ip_saddr BLOB NOT NULL,
orig_ip_saddr_str TEXT NOT NULL,
orig_ip_daddr BLOB NOT NULL,
orig_ip_daddr_str TEXT NOT NULL,
orig_ip_protocol INTEGER NOT NULL,
orig_l4_sport INTEGER,
orig_l4_dport INTEGER,
orig_raw_pktcount INTEGER NOT NULL,
orig_raw_pktlen INTEGER NOT NULL,
reply_ip_saddr BLOB NOT NULL,
reply_ip_saddr_str BLOB NOT NULL,
reply_ip_daddr BLOB NOT NULL,
reply_ip_daddr_str BLOB NOT NULL,
reply_ip_protocol INTEGER NOT NULL,
reply_l4_sport INTEGER,
reply_l4_dport INTEGER,
reply_raw_pktcount INTEGER NOT NULL,
reply_raw_pktlen INTEGER NOT NULL,
icmp_code INTEGER,
icmp_type INTEGER,
ct_id INTEGER NOT NULL,
ct_event INTEGER NOT NULL,
ct_mark INTEGER
);
CREATE INDEX flows_ip_saddr ON flows(orig_ip_saddr);
CREATE INDEX flows_ip_daddr ON flows(orig_ip_daddr);
CREATE INDEX flows_ip_protocol ON flows(orig_ip_protocol);

View File

@ -5,9 +5,6 @@
# GLOBAL OPTIONS # GLOBAL OPTIONS
###################################################################### ######################################################################
# logfile for status messages
logfile="/var/log/ulogd/ulogd.log"
# loglevel: debug(1), info(3), notice(5), error(7) or fatal(8) # loglevel: debug(1), info(3), notice(5), error(7) or fatal(8)
loglevel=7 loglevel=7
@ -22,7 +19,7 @@ loglevel=7
# 2. options for each plugin in seperate section below # 2. options for each plugin in seperate section below
plugin="/usr/lib/ulogd/ulogd_inppkt_NFLOG.so" plugin="/usr/lib/ulogd/ulogd_inppkt_NFLOG.so"
plugin="/usr/lib/ulogd/ulogd_inppkt_ULOG.so" #plugin="/usr/lib/ulogd/ulogd_inppkt_ULOG.so"
plugin="/usr/lib/ulogd/ulogd_inpflow_NFCT.so" plugin="/usr/lib/ulogd/ulogd_inpflow_NFCT.so"
plugin="/usr/lib/ulogd/ulogd_filter_IFINDEX.so" plugin="/usr/lib/ulogd/ulogd_filter_IFINDEX.so"
plugin="/usr/lib/ulogd/ulogd_filter_IP2STR.so" plugin="/usr/lib/ulogd/ulogd_filter_IP2STR.so"
@ -31,7 +28,7 @@ plugin="/usr/lib/ulogd/ulogd_filter_PRINTPKT.so"
plugin="/usr/lib/ulogd/ulogd_filter_HWHDR.so" plugin="/usr/lib/ulogd/ulogd_filter_HWHDR.so"
plugin="/usr/lib/ulogd/ulogd_filter_PRINTFLOW.so" plugin="/usr/lib/ulogd/ulogd_filter_PRINTFLOW.so"
#plugin="/usr/lib/ulogd/ulogd_filter_MARK.so" #plugin="/usr/lib/ulogd/ulogd_filter_MARK.so"
plugin="/usr/lib/ulogd/ulogd_output_LOGEMU.so" #plugin="/usr/lib/ulogd/ulogd_output_LOGEMU.so"
plugin="/usr/lib/ulogd/ulogd_output_SYSLOG.so" plugin="/usr/lib/ulogd/ulogd_output_SYSLOG.so"
#plugin="/usr/lib/ulogd/ulogd_output_OPRINT.so" #plugin="/usr/lib/ulogd/ulogd_output_OPRINT.so"
#plugin="/usr/lib/ulogd/ulogd_output_NACCT.so" #plugin="/usr/lib/ulogd/ulogd_output_NACCT.so"
@ -42,38 +39,26 @@ plugin="/usr/lib/ulogd/ulogd_output_SYSLOG.so"
plugin="/usr/lib/ulogd/ulogd_output_SQLITE3.so" plugin="/usr/lib/ulogd/ulogd_output_SQLITE3.so"
plugin="/usr/lib/ulogd/ulogd_raw2packet_BASE.so" plugin="/usr/lib/ulogd/ulogd_raw2packet_BASE.so"
# this is a stack for logging packet send by system via LOGEMU # Log packets
stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU stack=src-pkt:NFLOG,base:BASE,ifindex:IFINDEX,ip2str:IP2STR,hw:HWHDR,db-packets:SQLITE3
stack=src-pkt:NFLOG,base:BASE,ifindex:IFINDEX,ip2str:IP2STR,print:PRINTPKT,syslog:SYSLOG
# this is a stack for NFLOG packet-based logging to PCAP # Log connection tracking events
#stack=log1:NFLOG,base1:BASE,pcap1:PCAP stack=src-ct:NFCT,ip2bin:IP2BIN,ip2str:IP2STR,print-flow:PRINTFLOW,db-flows:SQLITE3
# this is a stack for logging packet to sqlite [src-pkt]
#stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2bin1:IP2BIN,mac2str1:HWHDR,sqlite1:SQLITE3
# this is a stack for logging packets to syslog after a collect via NFLOG
#stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG
# Logging of system packet through NFLOG
[log1]
# netlink multicast group (the same as the iptables --nflog-group param)
# Group O is used by the kernel to log connection tracking invalid message
group=0 group=0
#netlink_socket_buffer_size=217088
#netlink_socket_buffer_maxsize=1085440
# set number of packet to queue inside kernel
#netlink_qthreshold=1
# set the delay before flushing packet in the queue inside kernel (in ms)
#netlink_qtimeout=1000
bind=1 bind=1
[emu1] [src-ct]
file="/var/log/ulogd/syslogemu.log" # Only receive DESTROY events
sync=1 event_mask=0x00000004
hash_enable=1
[pcap1] [db-packets]
sync=1 db=/var/lib/ulogd/ulogd.db
table=hits
[sqlite1] [db-flows]
db=/var/log/ulogd/ulogd.db db=/var/lib/ulogd/ulogd.db
table=ulog table=flows

View File

@ -1,7 +0,0 @@
/var/log/ulogd.log /var/log/ulogd.syslogemu /var/log/ulogd.pktlog /var/log/ulogd.pcap {
missingok
sharedscripts
postrotate
/bin/killall -HUP ulogd 2> /dev/null || true
endscript
}

View File

@ -4,7 +4,7 @@
############################################################################### ###############################################################################
name = ulogd2 name = ulogd2
version = 2.0.4 version = 2.0.5
release = 1 release = 1
epoch = 1 epoch = 1
@ -40,15 +40,15 @@ build
# Set libdir to "/usr/lib" for every architecture to install the ulogd2 plugins # Set libdir to "/usr/lib" for every architecture to install the ulogd2 plugins
# to this folder. # to this folder.
configure_options+= \ configure_options+= \
--sysconfdir=/etc \
--libdir=%{prefix}/lib --libdir=%{prefix}/lib
install_cmds install_cmds
mkdir -pv %{BUILDROOT}/etc mkdir -pv %{BUILDROOT}%{sysconfdir}
cp -vf %{DIR_SOURCE}/ulogd.conf %{BUILDROOT}/etc/ulogd.conf cp -vf %{DIR_SOURCE}/ulogd.conf %{BUILDROOT}%{sysconfdir}/ulogd.conf
mkdir -pv %{BUILDROOT}/var/log/ulogd mkdir -pv %{BUILDROOT}%{sharedstatedir}/ulogd
sqlite3 -echo %{BUILDROOT}/var/log/ulogd/ulogd.db < %{DIR_SOURCE}/sqlite3.table sqlite3 -echo %{BUILDROOT}%{sharedstatedir}/ulogd/ulogd.db \
< %{DIR_SOURCE}/sqlite3.table
end end
end end
@ -61,7 +61,11 @@ packages
end end
configfiles configfiles
/etc/ulogd.conf %{sysconfdir}/ulogd.conf
end
datafiles
%{sharedstatedir}/ulogd/ulogd.db
end end
script postin script postin