Home | 簡體中文 | 繁體中文 | 雜文 | 打賞(Donations) | ITEYE 博客 | OSChina 博客 | Facebook | Linkedin | 知乎專欄 | Search | Email

40.3. ulogd - The Netfilter Userspace Logging Daemon

ulogd homepage: http://www.gnumonks.org/projects/

  1. Installation

    $ sudo apt-get install ulogd

    $ sudo apt-get install ulogd-mysql

  2. Configure LOGEMU

    plugin="/usr/lib/ulogd/ulogd_LOGEMU.so"
    				
  3. Configure MYSQL

    $ sudo vim /etc/ulogd.conf

    plugin="/usr/lib/ulogd/ulogd_MYSQL.so"
    [MYSQL]
    table="ulog"
    pass="ulog"
    user="ulog"
    db="ulogd"
    host="localhost"
    				

    create database

    				
    neo@master:~$ mysql -u root -p -A mysql
    Enter password:
    Welcome to the MySQL monitor.  Commands end with ; or \g.
    Your MySQL connection id is 9
    Server version: 5.0.51a-3ubuntu5.1-log (Ubuntu)
    
    Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
    
    mysql> create database ulogd;
    Query OK, 1 row affected (0.07 sec)
    
    mysql> grant all privileges on ulogd.* to ulog@localhost identified by 'ulog';
    Query OK, 0 rows affected (0.09 sec)
    
    mysql> flush privileges;
    Query OK, 0 rows affected (0.02 sec)
    
    mysql> source /usr/share/doc/ulogd-mysql/mysql.table
    Query OK, 0 rows affected (0.05 sec)
    
    mysql> exit;
    Bye
    neo@master:~$
    				
    				
  4. Iptables

    iptables -A INPUT -p tcp --dport 80 -j ULOG
    iptables -A FORWARD -j ULOG
    				
  5. Starting

    $ sudo /etc/init.d/ulogd start

  6. testing

    logemu

    neo@master:~$ tail -f /var/log/ulog/syslogemu.log
    Oct 20 12:54:07 master IN=eth0 OUT= MAC=00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00  SRC=192.168.245.1 DST=192.168.245.129 LEN=40 TOS=00 PREC=0x00 TTL=128 ID=30048 DF PROTO=TCP SPT=2080 DPT=80 SEQ=1732529774 ACK=1543952440 WINDOW=64608 ACK URGP=0
    Oct 20 12:54:22 master IN=eth0 OUT= MAC=00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00  SRC=192.168.245.1 DST=192.168.245.129 LEN=40 TOS=00 PREC=0x00 TTL=128 ID=30294 DF PROTO=TCP SPT=2080 DPT=80 SEQ=1732529774 ACK=1543952441 WINDOW=64608 ACK URGP=0
    Oct 20 12:54:32 master IN=eth0 OUT= MAC=00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00  SRC=192.168.245.1 DST=192.168.245.129 LEN=40 TOS=00 PREC=0x00 TTL=128 ID=30481 DF PROTO=TCP SPT=2080 DPT=80 SEQ=1732529774 ACK=1543952441 WINDOW=64608 ACK FIN URGP=0
    Oct 20 12:55:27 master IN=eth0 OUT= MAC=00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00  SRC=192.168.245.1 DST=192.168.245.129 LEN=48 TOS=00 PREC=0x00 TTL=128 ID=31444 DF PROTO=TCP SPT=2087 DPT=80 SEQ=866215326 ACK=0 WINDOW=65535 SYN URGP=0
    				

    mysql

    				
    mysql> select count(*) from ulog;
    +----------+
    | count(*) |
    +----------+
    |        8 |
    +----------+
    1 row in set (0.03 sec)
    
    mysql> select id, raw_mac from ulog;
    +----+--------------------------------------------+
    | id | raw_mac                                    |
    +----+--------------------------------------------+
    |  1 | 00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00  |
    |  2 | 00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00  |
    |  3 | 00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00  |
    |  4 | 00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00  |
    |  5 | 00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00  |
    |  6 | 00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00  |
    |  7 | 00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00  |
    |  8 | 00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00  |
    |  9 | 00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00  |
    +----+--------------------------------------------+
    9 rows in set (0.00 sec)
    				
    				


共有四個參數可供使用:
1.--ulog-nlgroup
iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-nlgroup 2
指定向哪個netlink組發送包,比如-- ulog-nlgroup 2。一共有32個netlink組,它們被簡單地編號位1-32。預設值是1。

2.--ulog-prefix
iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-prefix "SSH connection attempt: "
指定記錄信息的首碼,以便于區分不同的信息。使用方法和 LOG的prefix一樣,只是長度可以達到32個字元。

3.--ulog-cprange
iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-cprange 100
指定每個包要向“ULOG在用戶空間的代理”發送的位元組數,如--ulog-cprange 100,
表示把整個包的前100個位元組拷貝到用戶空間記錄下來,其中包含了這個包頭,還有一些包的引導數據。預設值是0,表示拷貝整個包,不管它有多大。

4.--ulog-qthreshold
iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-qthreshold 10
告訴ULOG在向用戶空間發送數據以供記錄之前,要在內核裡收集的包的數量,如--ulog-qthreshold 10。
這表示先在內核裡積聚10個包,再把它們發送到用戶空間裡,它們會被看作同一個netlink的信息,只是由好幾部分組成罷了。
預設值是1,這是為了向後兼容,因為以前的版本不能處理分段的信息