* Ulogd2 beta3 +NFCT - unable to get working
@ 2009-06-23 23:56 Anton VG
2009-06-24 9:40 ` Anton VG
2009-06-24 18:02 ` Pablo Neira Ayuso
0 siblings, 2 replies; 6+ messages in thread
From: Anton VG @ 2009-06-23 23:56 UTC (permalink / raw)
To: netfilter-devel
Hello!
Just spent all night trying to get the %SUBJ% working, but been
unable. There is no any other example in whole internet other than
included into a package and
http://software.inl.fr/trac/wiki/ulogd2/user
Ulogd starts, and tells that everything initialized - but
/var/log/ulogd_syslogemu.log - is always 0 bytes - no logging there.
Maybe I do have to insert any special IPTABLES rule? - But I have not
found any clue what I have to get to feed connection tracking to
ULOGD.
Would anyone please direct me what am I doing wrong?
Examples does not show any nflog gropups and anything else if NFCT is
used. No iptables noticed either.
---------------------------------
ulogd.conf
# Example configuration for ulogd
# $Id$
# Adapted to Debian by Achilleas Kotsis <achille at debian.gr>
[global]
######################################################################
# GLOBAL OPTIONS
######################################################################
# logfile for status messages
logfile="/var/log/ulogd.log"
# loglevel: debug(1), info(3), notice(5), error(7) or fatal(8)
loglevel=1
######################################################################
# PLUGIN OPTIONS
######################################################################
# We have to configure and load all the plugins we want to use
# general rules:
# 1. load the plugins _first_ from the global section
# 2. options for each plugin in seperate section below
plugin="/usr/local/lib/ulogd/ulogd_inppkt_NFLOG.so"
#plugin="/usr/local/lib/ulogd/ulogd_inppkt_ULOG.so"
plugin="/usr/local/lib/ulogd/ulogd_inpflow_NFCT.so"
plugin="/usr/local/lib/ulogd/ulogd_filter_IFINDEX.so"
plugin="/usr/local/lib/ulogd/ulogd_filter_IP2STR.so"
plugin="/usr/local/lib/ulogd/ulogd_filter_IP2BIN.so"
plugin="/usr/local/lib/ulogd/ulogd_filter_PRINTPKT.so"
plugin="/usr/local/lib/ulogd/ulogd_filter_HWHDR.so"
plugin="/usr/local/lib/ulogd/ulogd_filter_PRINTFLOW.so"
#plugin="/usr/local/lib/ulogd/ulogd_filter_MARK.so"
plugin="/usr/local/lib/ulogd/ulogd_output_LOGEMU.so"
plugin="/usr/local/lib/ulogd/ulogd_output_SYSLOG.so"
plugin="/usr/local/lib/ulogd/ulogd_output_OPRINT.so"
#plugin="/usr/local/lib/ulogd/ulogd_output_NACCT.so"
#plugin="/usr/local/lib/ulogd/ulogd_output_PCAP.so"
#plugin="/usr/local/lib/ulogd/ulogd_output_PGSQL.so"
#plugin="/usr/local/lib/ulogd/ulogd_output_MYSQL.so"
#plugin="/usr/local/lib/ulogd/ulogd_output_DBI.so"
plugin="/usr/local/lib/ulogd/ulogd_raw2packet_BASE.so"
stack=ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,emu1:LOGEMU
[ct1]
netlink_socket_buffer_size=2170880
netlink_socket_buffer_maxsize=10854400
hash_enable=0
[emu1]
file="/var/log/ulogd_syslogemu.log"
sync=1
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Ulogd2 beta3 +NFCT - unable to get working
2009-06-23 23:56 Ulogd2 beta3 +NFCT - unable to get working Anton VG
@ 2009-06-24 9:40 ` Anton VG
2009-06-24 18:02 ` Pablo Neira Ayuso
1 sibling, 0 replies; 6+ messages in thread
From: Anton VG @ 2009-06-24 9:40 UTC (permalink / raw)
To: netfilter-devel
Hello!
Just my experience with ULOGD 2.0 beta 3. NFCT logging seems broken.
I've managed to get something working, i'm logging to a PGSQL DB.
When I do enable hash_enable=0 and
pollinterval=100 and"INSERT_CT" - it starts logging connections, but
after a while, byte counters of already logged connections in DB was
zeroed.
If hash_enable=1 and -"INSERT_CT" - it logs some connections, and byte
counters always 0
if pollinterval is not manually defined - it does not log anything.
Libraries and netfilter all latest
Kernel 2.6.29.5
os Debian stable
my test bed is 3 PC's , one of which consists all the given stuff for
traffic accounting and i'm WGETtting files between 1 and 3rd PC's and
watching the result in
PC_1 <-- NFCT_PC_2 --> PC_3
stack=ct1:NFCT,ip2str1:IP2STR,pgsql1:PGSQL
[pgsql1]
db="ulog2"
host="192.168.1.148"
user="ulog2"
table="ulog2_ct"
pass="ulog2"
procedure="INSERT_CT"
#procedure="INSERT_OR_REPLACE_CT"
[ct1]
pollinterval=1
hash_enable=1
Anything I can do to help fixing this?
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Ulogd2 beta3 +NFCT - unable to get working
2009-06-23 23:56 Ulogd2 beta3 +NFCT - unable to get working Anton VG
2009-06-24 9:40 ` Anton VG
@ 2009-06-24 18:02 ` Pablo Neira Ayuso
2009-06-24 18:06 ` Pablo Neira Ayuso
1 sibling, 1 reply; 6+ messages in thread
From: Pablo Neira Ayuso @ 2009-06-24 18:02 UTC (permalink / raw)
To: Anton VG; +Cc: netfilter-devel
Anton VG wrote:
> Hello!
>
> Just spent all night trying to get the %SUBJ% working, but been
> unable. There is no any other example in whole internet other than
> included into a package and
> http://software.inl.fr/trac/wiki/ulogd2/user
>
> Ulogd starts, and tells that everything initialized - but
> /var/log/ulogd_syslogemu.log - is always 0 bytes - no logging there.
Is nf_conntrack_netlink loaded?
I still have to send a patch to autoload to the kernel to add support
for this autoload.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Ulogd2 beta3 +NFCT - unable to get working
2009-06-24 18:02 ` Pablo Neira Ayuso
@ 2009-06-24 18:06 ` Pablo Neira Ayuso
2009-06-24 20:54 ` Anton VG
0 siblings, 1 reply; 6+ messages in thread
From: Pablo Neira Ayuso @ 2009-06-24 18:06 UTC (permalink / raw)
To: Anton VG; +Cc: netfilter-devel
Pablo Neira Ayuso wrote:
> Anton VG wrote:
>> Hello!
>>
>> Just spent all night trying to get the %SUBJ% working, but been
>> unable. There is no any other example in whole internet other than
>> included into a package and
>> http://software.inl.fr/trac/wiki/ulogd2/user
>>
>> Ulogd starts, and tells that everything initialized - but
>> /var/log/ulogd_syslogemu.log - is always 0 bytes - no logging there.
>
> Is nf_conntrack_netlink loaded?
>
> I still have to send a patch to autoload to the kernel to add support
> for this autoload.
Hm, I should read what I write before pushing "send" :-). I meant that,
for event listening, there's no autoload of the "nf_conntrack_netlink"
module yet. What you're reporting seems like a sympthon that this module
is missing.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Ulogd2 beta3 +NFCT - unable to get working
2009-06-24 18:06 ` Pablo Neira Ayuso
@ 2009-06-24 20:54 ` Anton VG
2009-06-27 21:13 ` Pablo Neira Ayuso
0 siblings, 1 reply; 6+ messages in thread
From: Anton VG @ 2009-06-24 20:54 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Yes, it's loaded, here is the list of loaded modules.
# lsmod|grep nf
nf_conntrack_netlink 17040 0
nfnetlink_log 9396 1 xt_NFLOG
nfnetlink 5176 5 nf_conntrack_netlink,nfnetlink_log
nf_nat 19876 1 iptable_nat
nf_conntrack_ipv4 14472 7 iptable_nat,nf_nat
nf_defrag_ipv4 2240 1 nf_conntrack_ipv4
nf_conntrack 70624 7
xt_connbytes,nf_conntrack_netlink,xt_conntrack,iptable_nat,nf_nat,nf_conntrack_ipv4,sch_esfq
#
But I suppose it would not log any connections in case it's not? But
it does some, but in unpredictable manner.
2009/6/24 Pablo Neira Ayuso <pablo@netfilter.org>:
> Pablo Neira Ayuso wrote:
>> Anton VG wrote:
>>> Hello!
>>>
>>> Just spent all night trying to get the %SUBJ% working, but been
>>> unable. There is no any other example in whole internet other than
>>> included into a package and
>>> http://software.inl.fr/trac/wiki/ulogd2/user
>>>
>>> Ulogd starts, and tells that everything initialized - but
>>> /var/log/ulogd_syslogemu.log - is always 0 bytes - no logging there.
>>
>> Is nf_conntrack_netlink loaded?
>>
>> I still have to send a patch to autoload to the kernel to add support
>> for this autoload.
>
> Hm, I should read what I write before pushing "send" :-). I meant that,
> for event listening, there's no autoload of the "nf_conntrack_netlink"
> module yet. What you're reporting seems like a sympthon that this module
> is missing.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Ulogd2 beta3 +NFCT - unable to get working
2009-06-24 20:54 ` Anton VG
@ 2009-06-27 21:13 ` Pablo Neira Ayuso
0 siblings, 0 replies; 6+ messages in thread
From: Pablo Neira Ayuso @ 2009-06-27 21:13 UTC (permalink / raw)
To: Anton VG; +Cc: netfilter-devel
Anton VG wrote:
> Yes, it's loaded, here is the list of loaded modules.
>
> # lsmod|grep nf
> nf_conntrack_netlink 17040 0
> nfnetlink_log 9396 1 xt_NFLOG
> nfnetlink 5176 5 nf_conntrack_netlink,nfnetlink_log
> nf_nat 19876 1 iptable_nat
> nf_conntrack_ipv4 14472 7 iptable_nat,nf_nat
> nf_defrag_ipv4 2240 1 nf_conntrack_ipv4
> nf_conntrack 70624 7
> xt_connbytes,nf_conntrack_netlink,xt_conntrack,iptable_nat,nf_nat,nf_conntrack_ipv4,sch_esfq
> #
>
> But I suppose it would not log any connections in case it's not? But
> it does some, but in unpredictable manner.
What do you mean with "unpredictable manner"? Does `conntrack -E' show
events? Did you set CONFIG_NF_CONNTRACK_EVENTS=y in your kernel?
BTW, you have an example config file inside the ulogd2 directory. Have a
look at ulogd2.conf, it contains several useful examples.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2009-06-27 21:13 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-06-23 23:56 Ulogd2 beta3 +NFCT - unable to get working Anton VG
2009-06-24 9:40 ` Anton VG
2009-06-24 18:02 ` Pablo Neira Ayuso
2009-06-24 18:06 ` Pablo Neira Ayuso
2009-06-24 20:54 ` Anton VG
2009-06-27 21:13 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).