| 知乎專欄 | 多維度架構 | 微信號 netkiller-ebook | QQ群:128659835 請註明“讀者” |
ulogd homepage: http://www.gnumonks.org/projects/
Installation
$ sudo apt-get install ulogd
$ sudo apt-get install ulogd-mysql
Configure LOGEMU
plugin="/usr/lib/ulogd/ulogd_LOGEMU.so"
Configure MYSQL
$ sudo vim /etc/ulogd.conf
plugin="/usr/lib/ulogd/ulogd_MYSQL.so" [MYSQL] table="ulog" pass="ulog" user="ulog" db="ulogd" host="localhost"
create database
neo@master:~$ mysql -u root -p -A mysql Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 9 Server version: 5.0.51a-3ubuntu5.1-log (Ubuntu) Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> create database ulogd; Query OK, 1 row affected (0.07 sec) mysql> grant all privileges on ulogd.* to ulog@localhost identified by 'ulog'; Query OK, 0 rows affected (0.09 sec) mysql> flush privileges; Query OK, 0 rows affected (0.02 sec) mysql> source /usr/share/doc/ulogd-mysql/mysql.table Query OK, 0 rows affected (0.05 sec) mysql> exit; Bye neo@master:~$
Iptables
iptables -A INPUT -p tcp --dport 80 -j ULOG iptables -A FORWARD -j ULOG
Starting
$ sudo /etc/init.d/ulogd start
testing
logemu
neo@master:~$ tail -f /var/log/ulog/syslogemu.log Oct 20 12:54:07 master IN=eth0 OUT= MAC=00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00 SRC=192.168.245.1 DST=192.168.245.129 LEN=40 TOS=00 PREC=0x00 TTL=128 ID=30048 DF PROTO=TCP SPT=2080 DPT=80 SEQ=1732529774 ACK=1543952440 WINDOW=64608 ACK URGP=0 Oct 20 12:54:22 master IN=eth0 OUT= MAC=00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00 SRC=192.168.245.1 DST=192.168.245.129 LEN=40 TOS=00 PREC=0x00 TTL=128 ID=30294 DF PROTO=TCP SPT=2080 DPT=80 SEQ=1732529774 ACK=1543952441 WINDOW=64608 ACK URGP=0 Oct 20 12:54:32 master IN=eth0 OUT= MAC=00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00 SRC=192.168.245.1 DST=192.168.245.129 LEN=40 TOS=00 PREC=0x00 TTL=128 ID=30481 DF PROTO=TCP SPT=2080 DPT=80 SEQ=1732529774 ACK=1543952441 WINDOW=64608 ACK FIN URGP=0 Oct 20 12:55:27 master IN=eth0 OUT= MAC=00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00 SRC=192.168.245.1 DST=192.168.245.129 LEN=48 TOS=00 PREC=0x00 TTL=128 ID=31444 DF PROTO=TCP SPT=2087 DPT=80 SEQ=866215326 ACK=0 WINDOW=65535 SYN URGP=0
mysql
mysql> select count(*) from ulog; +----------+ | count(*) | +----------+ | 8 | +----------+ 1 row in set (0.03 sec) mysql> select id, raw_mac from ulog; +----+--------------------------------------------+ | id | raw_mac | +----+--------------------------------------------+ | 1 | 00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00 | | 2 | 00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00 | | 3 | 00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00 | | 4 | 00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00 | | 5 | 00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00 | | 6 | 00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00 | | 7 | 00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00 | | 8 | 00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00 | | 9 | 00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00 | +----+--------------------------------------------+ 9 rows in set (0.00 sec)
共有四個參數可供使用:
1.--ulog-nlgroup
iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-nlgroup 2
指定向哪個netlink組發送包,比如-- ulog-nlgroup 2。一共有32個netlink組,它們被簡單地編號位1-32。預設值是1。
2.--ulog-prefix
iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-prefix "SSH connection attempt: "
指定記錄信息的首碼,以便于區分不同的信息。使用方法和 LOG的prefix一樣,只是長度可以達到32個字元。
3.--ulog-cprange
iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-cprange 100
指定每個包要向“ULOG在用戶空間的代理”發送的位元組數,如--ulog-cprange 100,
表示把整個包的前100個位元組拷貝到用戶空間記錄下來,其中包含了這個包頭,還有一些包的引導數據。預設值是0,表示拷貝整個包,不管它有多大。
4.--ulog-qthreshold
iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-qthreshold 10
告訴ULOG在向用戶空間發送數據以供記錄之前,要在內核裡收集的包的數量,如--ulog-qthreshold 10。
這表示先在內核裡積聚10個包,再把它們發送到用戶空間裡,它們會被看作同一個netlink的信息,只是由好幾部分組成罷了。
預設值是1,這是為了向後兼容,因為以前的版本不能處理分段的信息