Ulogd2 beta3 +NFCT - unable to get working

Ulogd2 beta3 +NFCT - unable to get working

[Anton VG]

Hello!

Just spent all night trying to get the %SUBJ% working, but been
unable. There is no any other example in whole internet other than
included into a package and
http://software.inl.fr/trac/wiki/ulogd2/user

Ulogd starts, and tells that everything initialized - but
/var/log/ulogd_syslogemu.log - is always 0 bytes - no logging there.

Maybe I do have to insert any special IPTABLES rule? - But I have not
found any clue what I have to get to feed connection tracking to
ULOGD.

Would anyone please direct me what am I doing wrong?

Examples does not show any nflog gropups and anything else if NFCT is
used. No iptables noticed either.

---------------------------------
ulogd.conf

# Example configuration for ulogd
# $Id$
# Adapted to Debian by Achilleas Kotsis <achille at debian.gr>

[global]
######################################################################
# GLOBAL OPTIONS
######################################################################


# logfile for status messages
logfile="/var/log/ulogd.log"

# loglevel: debug(1), info(3), notice(5), error(7) or fatal(8)
loglevel=1

######################################################################
# PLUGIN OPTIONS
######################################################################

# We have to configure and load all the plugins we want to use

# general rules:
# 1. load the plugins _first_ from the global section
# 2. options for each plugin in seperate section below


plugin="/usr/local/lib/ulogd/ulogd_inppkt_NFLOG.so"
#plugin="/usr/local/lib/ulogd/ulogd_inppkt_ULOG.so"
plugin="/usr/local/lib/ulogd/ulogd_inpflow_NFCT.so"
plugin="/usr/local/lib/ulogd/ulogd_filter_IFINDEX.so"
plugin="/usr/local/lib/ulogd/ulogd_filter_IP2STR.so"
plugin="/usr/local/lib/ulogd/ulogd_filter_IP2BIN.so"
plugin="/usr/local/lib/ulogd/ulogd_filter_PRINTPKT.so"
plugin="/usr/local/lib/ulogd/ulogd_filter_HWHDR.so"
plugin="/usr/local/lib/ulogd/ulogd_filter_PRINTFLOW.so"
#plugin="/usr/local/lib/ulogd/ulogd_filter_MARK.so"
plugin="/usr/local/lib/ulogd/ulogd_output_LOGEMU.so"
plugin="/usr/local/lib/ulogd/ulogd_output_SYSLOG.so"
plugin="/usr/local/lib/ulogd/ulogd_output_OPRINT.so"
#plugin="/usr/local/lib/ulogd/ulogd_output_NACCT.so"
#plugin="/usr/local/lib/ulogd/ulogd_output_PCAP.so"
#plugin="/usr/local/lib/ulogd/ulogd_output_PGSQL.so"
#plugin="/usr/local/lib/ulogd/ulogd_output_MYSQL.so"
#plugin="/usr/local/lib/ulogd/ulogd_output_DBI.so"
plugin="/usr/local/lib/ulogd/ulogd_raw2packet_BASE.so"

stack=ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,emu1:LOGEMU

[ct1]
netlink_socket_buffer_size=2170880
netlink_socket_buffer_maxsize=10854400
hash_enable=0

[emu1]
file="/var/log/ulogd_syslogemu.log"
sync=1

Re: Ulogd2 beta3 +NFCT - unable to get working

[Anton VG]

Hello!
Just my experience with ULOGD 2.0 beta 3. NFCT logging seems broken.
I've managed to get something working, i'm logging to a PGSQL DB.

When I do enable hash_enable=0 and
pollinterval=100 and"INSERT_CT"  - it starts logging connections, but
after a while, byte counters of already logged connections in DB was
zeroed.

If hash_enable=1 and -"INSERT_CT" - it logs some connections, and byte
counters always 0

if pollinterval is not manually defined - it does not log anything.

Libraries and netfilter all latest
Kernel 2.6.29.5
os Debian stable

my test bed is 3 PC's , one of which consists all the given stuff for
traffic accounting and i'm WGETtting files between 1 and 3rd PC's and
watching the result in

PC_1 <-- NFCT_PC_2 --> PC_3

stack=ct1:NFCT,ip2str1:IP2STR,pgsql1:PGSQL

[pgsql1]
db="ulog2"
host="192.168.1.148"
user="ulog2"
table="ulog2_ct"
pass="ulog2"
procedure="INSERT_CT"
#procedure="INSERT_OR_REPLACE_CT"

[ct1]
pollinterval=1
hash_enable=1

Anything I can do to help fixing this?

Re: Ulogd2 beta3 +NFCT - unable to get working

[Pablo Neira Ayuso]

Anton VG wrote:
> Hello!
> 
> Just spent all night trying to get the %SUBJ% working, but been
> unable. There is no any other example in whole internet other than
> included into a package and
> http://software.inl.fr/trac/wiki/ulogd2/user
> 
> Ulogd starts, and tells that everything initialized - but
> /var/log/ulogd_syslogemu.log - is always 0 bytes - no logging there.

Is nf_conntrack_netlink loaded?

I still have to send a patch to autoload to the kernel to add support
for this autoload.

Re: Ulogd2 beta3 +NFCT - unable to get working

[Pablo Neira Ayuso]

Pablo Neira Ayuso wrote:
> Anton VG wrote:
>> Hello!
>>
>> Just spent all night trying to get the %SUBJ% working, but been
>> unable. There is no any other example in whole internet other than
>> included into a package and
>> http://software.inl.fr/trac/wiki/ulogd2/user
>>
>> Ulogd starts, and tells that everything initialized - but
>> /var/log/ulogd_syslogemu.log - is always 0 bytes - no logging there.
> 
> Is nf_conntrack_netlink loaded?
> 
> I still have to send a patch to autoload to the kernel to add support
> for this autoload.

Hm, I should read what I write before pushing "send" :-). I meant that,
for event listening, there's no autoload of the "nf_conntrack_netlink"
module yet. What you're reporting seems like a sympthon that this module
is missing.

Re: Ulogd2 beta3 +NFCT - unable to get working

[Anton VG]

Yes, it's loaded, here is the list of loaded modules.

# lsmod|grep nf
nf_conntrack_netlink    17040  0
nfnetlink_log           9396  1 xt_NFLOG
nfnetlink               5176  5 nf_conntrack_netlink,nfnetlink_log
nf_nat                 19876  1 iptable_nat
nf_conntrack_ipv4      14472  7 iptable_nat,nf_nat
nf_defrag_ipv4          2240  1 nf_conntrack_ipv4
nf_conntrack           70624  7
xt_connbytes,nf_conntrack_netlink,xt_conntrack,iptable_nat,nf_nat,nf_conntrack_ipv4,sch_esfq
#

But I suppose it would not log any connections in case it's not? But
it does some, but in unpredictable manner.


2009/6/24 Pablo Neira Ayuso <pablo@netfilter.org>:
> Pablo Neira Ayuso wrote:
>> Anton VG wrote:
>>> Hello!
>>>
>>> Just spent all night trying to get the %SUBJ% working, but been
>>> unable. There is no any other example in whole internet other than
>>> included into a package and
>>> http://software.inl.fr/trac/wiki/ulogd2/user
>>>
>>> Ulogd starts, and tells that everything initialized - but
>>> /var/log/ulogd_syslogemu.log - is always 0 bytes - no logging there.
>>
>> Is nf_conntrack_netlink loaded?
>>
>> I still have to send a patch to autoload to the kernel to add support
>> for this autoload.
>
> Hm, I should read what I write before pushing "send" :-). I meant that,
> for event listening, there's no autoload of the "nf_conntrack_netlink"
> module yet. What you're reporting seems like a sympthon that this module
> is missing.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Ulogd2 beta3 +NFCT - unable to get working

[Pablo Neira Ayuso]

Anton VG wrote:
> Yes, it's loaded, here is the list of loaded modules.
> 
> # lsmod|grep nf
> nf_conntrack_netlink    17040  0
> nfnetlink_log           9396  1 xt_NFLOG
> nfnetlink               5176  5 nf_conntrack_netlink,nfnetlink_log
> nf_nat                 19876  1 iptable_nat
> nf_conntrack_ipv4      14472  7 iptable_nat,nf_nat
> nf_defrag_ipv4          2240  1 nf_conntrack_ipv4
> nf_conntrack           70624  7
> xt_connbytes,nf_conntrack_netlink,xt_conntrack,iptable_nat,nf_nat,nf_conntrack_ipv4,sch_esfq
> #
> 
> But I suppose it would not log any connections in case it's not? But
> it does some, but in unpredictable manner.

What do you mean with "unpredictable manner"? Does `conntrack -E' show
events? Did you set CONFIG_NF_CONNTRACK_EVENTS=y in your kernel?

BTW, you have an example config file inside the ulogd2 directory. Have a
look at ulogd2.conf, it contains several useful examples.