SVN ULOG2

SVN ULOG2

[Anton]

Hello!

A little question, regarding the current status of ULOGD2, 
and could it be used in the live accounting? 
Just trying to compile fresh SVN of ulog2 and noticed that 
lots of dependencies to fresh versions of NF libraries, and 
ULOG2 tries to compile MAC2STR, which does not exists in the 
ULOGD2 sources tree, so I had to remove it from Makefile to 
get it compiling.
Maybe ULOGD2 still is in deep development and not ready to 
any use yet?

Thanks in advance,
Anton.

Re: SVN ULOG2

[Pablo Neira Ayuso]

Anton wrote:
> Hello!
> 
> A little question, regarding the current status of ULOGD2, 
> and could it be used in the live accounting? 
> Just trying to compile fresh SVN of ulog2 and noticed that 
> lots of dependencies to fresh versions of NF libraries, and 
> ULOG2 tries to compile MAC2STR, which does not exists in the 
> ULOGD2 sources tree, so I had to remove it from Makefile to 
> get it compiling.

I forgot to commit the MAC2STR file. Please, refresh you SVN tree.

> Maybe ULOGD2 still is in deep development and not ready to 
> any use yet?

As you said, it's under development but any help in testing and
bugreporting would be great.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

Re: SVN ULOG2

[Anton]

On Wednesday 09 April 2008 16:01, Pablo Neira Ayuso wrote:

> As you said, it's under development but any help in
> testing and bugreporting would be great.

Will be glad to help atleast this way!

Regards,
Anton.

Re: SVN ULOG2

[Anton VG]

configure, created by autogen.sh generates the following error if
libnfnetlink is not installed.
(debian etch).

checking for socket... yes
checking for strerror... yes
./configure: line 20862: syntax error near unexpected token `LIBNFNETLINK,'
./configure: line 20862: `PKG_CHECK_MODULES(LIBNFNETLINK, libnfnetlink
>= $LIBNFNETLINK_REQUIRED,,'


2008/4/9, Pablo Neira Ayuso <pablo@netfilter.org>:
> Anton wrote:
>  > Hello!
>  >
>  > A little question, regarding the current status of ULOGD2,
>  > and could it be used in the live accounting?
>  > Just trying to compile fresh SVN of ulog2 and noticed that
>  > lots of dependencies to fresh versions of NF libraries, and
>  > ULOG2 tries to compile MAC2STR, which does not exists in the
>  > ULOGD2 sources tree, so I had to remove it from Makefile to
>  > get it compiling.
>
>
> I forgot to commit the MAC2STR file. Please, refresh you SVN tree.
>
>
>  > Maybe ULOGD2 still is in deep development and not ready to
>  > any use yet?
>
>
> As you said, it's under development but any help in testing and
>  bugreporting would be great.
>
>
>  --
>  "Los honestos son inadaptados sociales" -- Les Luthiers
>

Re: SVN ULOG2

[Anton VG]

[-- Attachment #1: Type: text/plain, Size: 962 bytes --]

One more issue (though not sure is I did not miss something in configuration)

Trying to do Postgresql logging. Postgres 8.3
This is the entry, ulogd fails initializing on.

Thu Apr 10 18:02:26 2008 <7> ulogd.c:699 cannot find key
`mac.saddr.str' in stack
Thu Apr 10 18:02:26 2008 <1> ulogd.c:831 destroying stack
Thu Apr 10 18:02:26 2008 <8> ulogd.c:1084 not even a single working plugin stack

If I do syslog logging - ulogd atleast starts.

Full ulog.log is attached.

2008/4/9, Anton <anton.vazir@gmail.com>:
> On Wednesday 09 April 2008 16:01, Pablo Neira Ayuso wrote:
>
>  > As you said, it's under development but any help in
>  > testing and bugreporting would be great.
>
>
> Will be glad to help atleast this way!
>
>  Regards,
>
> Anton.
>  --
>  To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
>  the body of a message to majordomo@vger.kernel.org
>  More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

[-- Attachment #2: ulogd.log.bz2 --]
[-- Type: application/x-bzip2, Size: 1224 bytes --]

Re: SVN ULOG2

[Eric Leblond]

Hello,

> One more issue (though not sure is I did not miss something in
> configuration)
>
> Trying to do Postgresql logging. Postgres 8.3
> This is the entry, ulogd fails initializing on.
>
> Thu Apr 10 18:02:26 2008 <7> ulogd.c:699 cannot find key
> `mac.saddr.str' in stack
> Thu Apr 10 18:02:26 2008 <1> ulogd.c:831 destroying stack
> Thu Apr 10 18:02:26 2008 <8> ulogd.c:1084 not even a single working plugin
> stack

Ok, it seems you've pointed to the wrong 'table' option. You should not
point to ulog but to ulog2_ct.
But you will next have to set 'procedure' to a hmmm not yet written in
Postgres function ...

I do not have the time to do it now but I think you can easily write one
based on the INSERT_CT function in mysql schema.

BR,
--
Eric Leblond
INL : http://www.inl.fr
NuFW, Now User Filtering Works (http://www.nufw.org)

Re: SVN ULOG2

[Anton VG]

In the case when "ulog2" instead "ulog" in the config - it fails even
sooner. See output below... I noticed that there is no table ulog, but
since it 's written so in sample config file, and there is a view,
named "ulog" in the DB schema - I supposed that should be so. The
"timestamp" row it's failing - passed normally when "ulog" table is
used.

Thu Apr 10 20:39:54 2008 <1> ulogd.c:705 assigning `ip.csum(?)' as
source for PGSQL(ip.csum)
Thu Apr 10 20:39:54 2008 <1> ulogd.c:605 base1(BASE)
Thu Apr 10 20:39:54 2008 <1> ulogd.c:705 assigning `ip.id(?)' as
source for PGSQL(ip.id)
Thu Apr 10 20:39:54 2008 <1> ulogd.c:605 base1(BASE)
Thu Apr 10 20:39:54 2008 <1> ulogd.c:705 assigning `ip.fragoff(?)' as
source for PGSQL(ip.fragoff)
Thu Apr 10 20:39:54 2008 <7> ulogd.c:699 cannot find key `timestamp' in stack
Thu Apr 10 20:39:54 2008 <1> ulogd.c:831 destroying stack
Thu Apr 10 20:39:54 2008 <8> ulogd.c:1084 not even a single working plugin stack

Regards,
Anton.

2008/4/10, Eric Leblond <eric@inl.fr>:
> Hello,
>
>
>  > One more issue (though not sure is I did not miss something in
>  > configuration)
>  >
>  > Trying to do Postgresql logging. Postgres 8.3
>  > This is the entry, ulogd fails initializing on.
>  >
>  > Thu Apr 10 18:02:26 2008 <7> ulogd.c:699 cannot find key
>  > `mac.saddr.str' in stack
>  > Thu Apr 10 18:02:26 2008 <1> ulogd.c:831 destroying stack
>  > Thu Apr 10 18:02:26 2008 <8> ulogd.c:1084 not even a single working plugin
>  > stack
>
>
> Ok, it seems you've pointed to the wrong 'table' option. You should not
>  point to ulog but to ulog2_ct.
>  But you will next have to set 'procedure' to a hmmm not yet written in
>  Postgres function ...
>
>  I do not have the time to do it now but I think you can easily write one
>  based on the INSERT_CT function in mysql schema.
>
>  BR,
>
> --
>  Eric Leblond
>  INL : http://www.inl.fr
>  NuFW, Now User Filtering Works (http://www.nufw.org)
>
>

Re: SVN ULOG2

[Eric Leblond]

Hello,

> In the case when "ulog2" instead "ulog" in the config - it fails even
> sooner. See output below... I noticed that there is no table ulog, but
> since it 's written so in sample config file, and there is a view,
> named "ulog" in the DB schema - I supposed that should be so. The
> "timestamp" row it's failing - passed normally when "ulog" table is
> used.

I wrote ulogd2_ct and not ulog2 ;)

The table argument contains the list of fields that will be needed as
INPUT key. In the SQL schema ulog and ulog2 are for packet based logging.
The flow based logging table is ulog2_ct.

>> Ok, it seems you've pointed to the wrong 'table' option. You should not
>>  point to ulog but to ulog2_ct.

BR,
--
Eric Leblond
INL : http://www.inl.fr
NuFW, Now User Filtering Works (http://www.nufw.org)

Re: SVN ULOG2

[Anton]

:) Looks like I'm missing something.
Naming ulogd2_ct makes it failing initializing in the 
beginning. 

Thu Apr 10 21:58:59 2008 <1> ulogd.c:705 assigning 
`orig.ip.daddr.str(?)' as source for PGSQL(orig.ip.dadd
r.str)
Thu Apr 10 21:58:59 2008 <7> ulogd.c:699 cannot find key 
`orig.ip.protocol' in stack
Thu Apr 10 21:58:59 2008 <1> ulogd.c:831 destroying stack
Thu Apr 10 21:58:59 2008 <8> ulogd.c:1084 not even a single 
working plugin stack

But - The view - ulog - it consist all of the keys which 
ulogd uses while initializing. But it consists the key 
mac.saddr.str - and here I can't get what's wrong there . 
In the code it seems key is returned as in other modules. 

static struct ulogd_key mac2str_keys[] = {
        {
                .type = ULOGD_RET_STRING,
                .flags = ULOGD_RETF_FREE,
                .name = "mac.saddr.str",
        },
};


Any ideas? ;)




On Thursday 10 April 2008 16:00, Eric Leblond wrote:
> Hello,
>
> > In the case when "ulog2" instead "ulog" in the config -
> > it fails even sooner. See output below... I noticed
> > that there is no table ulog, but since it 's written so
> > in sample config file, and there is a view, named
> > "ulog" in the DB schema - I supposed that should be so.
> > The "timestamp" row it's failing - passed normally when
> > "ulog" table is used.
>
> I wrote ulogd2_ct and not ulog2 ;)
>
> The table argument contains the list of fields that will
> be needed as INPUT key. In the SQL schema ulog and ulog2
> are for packet based logging. The flow based logging
> table is ulog2_ct.
>
> >> Ok, it seems you've pointed to the wrong 'table'
> >> option. You should not point to ulog but to ulog2_ct.
>
> BR,
> --
> Eric Leblond
> INL : http://www.inl.fr
> NuFW, Now User Filtering Works (http://www.nufw.org)

Re: SVN ULOG2

[Eric Leblond]

Hello,

> :) Looks like I'm missing something.
> Naming ulogd2_ct makes it failing initializing in the
> beginning.
>
>
> Any ideas? ;)

It seems you've got the wrong stack. To define the correct stack, you may
find this link useful :
http://software.inl.fr/trac/wiki/ulogd2/user

For NFCT based logging to Postgres, the following stack should work :
stack=ct1:NFCT,ip2str1:IP2STR,pgsql:PGSQL

BR,
--
Eric Leblond
INL : http://www.inl.fr
NuFW, Now User Filtering Works (http://www.nufw.org)

Re: SVN ULOG2

[Anton]

Seems all got simplier :) After an hour trying to define
mac.saddr.str in different places in sources (say dances 
with tambourine) i more carefully looked at the config 
file, and just addition of the following in the ulogd.conf 
resolved the issue :)

plugin="/usr/local/lib/ulogd/ulogd_filter_MAC2STR.so"
stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:MAC2STR,pgsql1:PGSQL

All the rest is the original sample of ulogd.conf

Maybe it's worth to add this line into a sample ulogd.conf 
to avoid stupid questions from newbees like me :)

Thanks so much for help Eric!
Regards to all!
Anton.

On Thursday 10 April 2008 17:34, Eric Leblond wrote:
> Hello,
>
> > :) Looks like I'm missing something.
> >
> > Naming ulogd2_ct makes it failing initializing in the
> > beginning.
> >
> >
> > Any ideas? ;)
>
> It seems you've got the wrong stack. To define the
> correct stack, you may find this link useful :
> http://software.inl.fr/trac/wiki/ulogd2/user
>
> For NFCT based logging to Postgres, the following stack
> should work : stack=ct1:NFCT,ip2str1:IP2STR,pgsql:PGSQL
>
> BR,
> --
> Eric Leblond
> INL : http://www.inl.fr
> NuFW, Now User Filtering Works (http://www.nufw.org)

Re: SVN ULOG2

[Eric Leblond]

Hello,

> plugin="/usr/local/lib/ulogd/ulogd_filter_MAC2STR.so"
> stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:MAC2STR,pgsql1:PGSQL
>
> All the rest is the original sample of ulogd.conf
>
> Maybe it's worth to add this line into a sample ulogd.conf
> to avoid stupid questions from newbees like me :)

Just send to the ML a patch to ulogd.conf.in with these modifications ;)

>
> Thanks so much for help Eric!

You're welcome.

BR,
--
Eric Leblond
INL : http://www.inl.fr
NuFW, Now User Filtering Works (http://www.nufw.org)

Re: SVN ULOG2

[Anton]

[-- Attachment #1: Type: text/plain, Size: 272 bytes --]

Patch is attached

On Thursday 10 April 2008 18:09, Eric Leblond wrote:
> > Maybe it's worth to add this line into a sample
> > ulogd.conf to avoid stupid questions from newbees like
> > me :)
>
> Just send to the ML a patch to ulogd.conf.in with these
> modifications ;)

[-- Attachment #2: conf.ini.diff --]
[-- Type: text/x-diff, Size: 1043 bytes --]

diff -Naur ulogd2/ulogd.conf.in ulogd2-doc/ulogd.conf.in
--- ulogd2/ulogd.conf.in	2008-04-12 13:02:50.000000000 +0500
+++ ulogd2-doc/ulogd.conf.in	2008-04-12 13:04:40.000000000 +0500
@@ -39,6 +39,7 @@
 plugin="@libdir@/ulogd/ulogd_filter_IP2STR.so"
 plugin="@libdir@/ulogd/ulogd_filter_IP2BIN.so"
 plugin="@libdir@/ulogd/ulogd_filter_PRINTPKT.so"
+plugin="@libdir@/ulogd/ulogd_filter_MAC2STR.so"
 plugin="@libdir@/ulogd/ulogd_filter_PRINTFLOW.so"
 plugin="@libdir@/ulogd/ulogd_output_LOGEMU.so"
 plugin="@libdir@/ulogd/ulogd_output_SYSLOG.so"
@@ -74,7 +75,7 @@
 #stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2bin1:IP2BIN,mysql1:MYSQL
 
 # this is a stack for logging IPv6 packet to PGsql after a collect via NFLOG
-#stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,pgsql1:PGSQL
+#stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:MAC2STR,pgsql1:PGSQL
 
 # this is a stack for logging ebtables packets to syslog after a collect via NFLOG
 #stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG

Re: SVN ULOG2

[Pablo Neira Ayuso]

Anton wrote:
> Patch is attached
> 
> On Thursday 10 April 2008 18:09, Eric Leblond wrote:
>>> Maybe it's worth to add this line into a sample
>>> ulogd.conf to avoid stupid questions from newbees like
>>> me :)
>> Just send to the ML a patch to ulogd.conf.in with these
>> modifications ;)

Applied. Thanks Anton. Please, include a Signed-off-by line next time.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers