ulogd(一)
参考资料:
https://blog.csdn.net/eydwyz/article/details/52456335
https://blog.csdn.net/chinalinuxzend/article/details/1765249
https://rlworkman.net/howtos/ulogd.html
./README
===> IDEA
This packages is intended for doing all netfilter related logging inside a
userspace process. This includes
- logging of ruleset violations via ipt_ULOG (kernel 2.4.18+)
- logging of ruleset violations via nfnetlink_log (kernel 2.6.14+)
- logging of connection startup/teardown (kernel 2.6.14+)
- connection-based accounting (kernel 2.6.14+)
在守护进程中做netfilter相关的各种统计工作。
工作原理
- Register a target called ULOG with iptables
- if the target is hit:
- send the packet out using netlink multicast facility
- return NF_CONTINUE immediately
简单翻译一下,工作原理就是:
通过 iptables 下发规则到内核,匹配相应规则之后,内核将通过 netlink 将消息
发送到用户态,然后报文在内核态继续执行。
输出支持直接将结果写到database中,需要提前预设database,修改ulogd配置。
关于下边相关的几个插件:
- Input Plugins
-
Input plugins acts data source. They get data from somewhere outside of ulogd, and convert it into a list of ulogd keys.
- Filter Plugins
-
Filter plugins interpret(解释) and/or filter(过滤) data that was received from the Input Plugin. A good example is parsing a raw packet into IPv4 / TCP / ... header information.
- Output Plugins
-
Output plugins describe how and where to put the information gained by the Input Plugin and processed by one or more Filter Plugins. The easiest way is to build a line per packet and fprint it to a file. Some people might want to log into a SQL database or want an output conforming to the IETF IPFIX language.
5. Available plugins
It is important to understand that ulogd without plugins does nothing. It will receive packets, and do nothing with them.
There are two kinds of plugins, interpreter and output plugins. Interpreter plugins parse the packet, output plugins write the interpreted information to some logfile/database/...
===> CONTENTS
= ulogd daemon (ulogd)
A sophisticated logging daemon core which uses a plugin for about anything. The
daemon provides a plugin API for
- input plugins
- filter plugins
- output plugins
= documentation (doc)
A quite verbose documentation of this package and it's configuration exists,
please actually make use of it and read it :)
===> USAGE
To be able to build ulogd, you need to have working developement files and
and libraries for:
- libnfnetlink
- libmnl
- libnetfilter_log [optional]
- libnetfilter_conntrack [optional]
- libnetfilter_acct [optional]
Output plugins are build if the needed library and headers are found. This
includes:
- PCAP: libpcap
- PGSQL: libpq
- MySQL: libmysqlclient
- SQLITE3: libsqlite3
- DBI: libdbi
The build procedure is standard:
$ ./configure
$ make
$ sudo make install
After build, you need to edit the ulogd.conf file to define a stack or more
to use.
===> EXAMPLES
= NFLOG(防火墙log) usage
At first a simple example, which passes every outgoing packet to the
userspace logging, using nfnetlink group 3.
iptables -A OUTPUT -j NFLOG --nflog-group 3
A more advanced one, passing all incoming tcp packets with destination
port 80 to the userspace logging daemon listening on netlink multicast
group 32. All packets get tagged with the ulog prefix "inp"
iptables -A INPUT -j NFLOG -p tcp --dport 80 --nflog-group 32 --nflog-prefix inp
See iptables -j NFLOG -h for complete information about NFLOG.
= NFCT(链接跟踪) usage
To use connection logging, simply activate in ulogd.conf one stack using
the NFCT plugin.
For example, the following stack will do flow-based logging via
LOGEMU:
stack=ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,emu1:LOGEMU(配置文件中的相关配置)
= NFACCT(防火墙统计) usage
On ulogd side, activate a stack using the NFACCT module.
You then need to create counters:
# nfacct add ipv4.tcp
# nfacct add ipv6.tcp.443 (是一个新的命令,需要重新安装)
Once this is done, you can then create iptables matching rule that will increment
each time a packet hit them:
# iptables -A FORWARD -p tcp -m nfacct --nfacct-name ipv4.tcp(配置的是一个转发链,pc机验证时候建议设置成INPUT、OUTPUT)
# ip6tables -A FORWARD -p tcp --dport 443 -m nfacct --nfacct-name ipv6.tcp.443
# ip6tables -A FORWARD -p tcp --sport 443 -m nfacct --nfacct-name ipv6.tcp.443
NFACCT plugin will then dump periodically the counters and trigger an update of the
output corresponding to the active stacks.
===> COPYRIGHT + CREDITS
The code and documentation is
(C) 2000-2006 by Harald Welte <laforge@gnumonks.org>
(C) 2008-2012 Pablo Neira Ayuso <pablo@netfilter.org>
(C) 2008-2013 Eric Leblond <eric@regit.org>
Thanks also to the valuable contributions of Daniel Stone, Alexander Janssen,
Michael Stolovitzsky and Jozsef Kadlecsik.
Credits to Rusty Russell, James Morris, Marc Boucher and all the other
netfilter hackers.
ulogd(一)的更多相关文章
- iptables日志探秘
iptables日志探秘 防火墙的主要功能除了其本身能进行有效控制网络访问之外,还有一个很重要的功能就是能清晰地记录网络上的访问,并自动生成日志进行保存.虽然日志格式会因防火墙厂商的不同而形态各异,但 ...
- iptables rule
和H3C中的acl很像,或者就是一会事,这就是不知道底层的缺陷,形式一变,所有的积累都浮云了 参考准确的说copy from http://www.ibm.com/developerworks/cn/ ...
- Linux下编译内核配置选项简介
Code maturity level options代码成熟度选项 Prompt for development and/or incomplete code/drivers 显示尚在开发中或尚未完 ...
- Linux: 介绍make menuconfig中的每个选项含义【转】
转自:http://blog.csdn.net/gaoyuanlinkconcept/article/details/8810468 介绍make menuconfig中的每个选项含义 Linux 2 ...
- 【内核】linux2.6版本内核编译配置选项(一)
Linux 2.6.19.x 内核编译配置选项简介 作者:金步国 版权声明 本文作者是一位自由软件爱好者,所以本文虽然不是软件,但是本着 GPL 的精神发布.任何人都可以自由使用.转载.复制和再分发, ...
- Iptables 指南 1.1.19
Iptables 指南 1.1.19 Oskar Andreasson oan@frozentux.net Copyright © 2001-2003 by Oskar Andreasson 本文在符 ...
- iptables原理及使用教程
注意 修改iptables可能导致连接断开, 对于远程连接的用户, 需要在经过充分测试后在修改, 对于懒人可以设置一个crontab, 在你修改iptables的过程中每隔30分钟清空一次iptabl ...
- Linux操作系统的文件查找工具locate和find命令常用参数介绍
Linux操作系统的文件查找工具locate和find命令常用参数介绍 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. 一.非实时查找(数据库查找)locate工具 locate命 ...
- ccze - A robust log colorizer(强大的日志着色器)
这些程序遵循通常的GNU命令行语法,长选项以两个破折号(` - ')开头.选项摘要如下. -a, - argument PLUGIN = ARGUMENTS 使用此选项将AR ...
随机推荐
- HTML5操作麦克风获取音频数据(WAV)的一些基础技能
基于HTML5的新特性,操作其实思路很简单. 首先通过navigator获取设备,然后通过设备监听语音数据,进行原始数据采集. 相关的案例比较多,最典型的就是链接:https://developer. ...
- Linux centos7. 配置安装Oracle
oralcle 11g r2 配置一下前期的网络环境 一 修改linux核心配置 1.修改用户的SHELL限制vi /etc/security/limits.conf oracle soft npro ...
- json 中关于json数组跟json对象的区别
原文地址:http://blog.csdn.net/lafengwnagzi/article/details/52789171 JSON 是存储和交换文本信息的语法 JSON 文本格式在语法上与创建 ...
- Linux上启动Cron任务
cron是一个Linux下的定时执行工具,无需人工干预,与quartz上的cron表达式稍有不同.由于cron是Linux上的内置基础服务,并不是所有服务器都是默认启动该服务的,如果没有启动可以使用下 ...
- Alsa aplay S8 U8 S16_LE S16_BE U16_LE U16_BE格式
举个例子 aplay -r 16000 -f S16_LE -D hw:0,0 -c 2 -d 3 ~/Private/Private_Tools/02_ALSA_Learning/left_1k_r ...
- React+ES6+Webpack深入浅出
React已成为前端当下最热门的前端框架之一 , 其虚拟DOM和组件化开发让前端开发更富灵活性,而Webpack凭借它异步加载和可分离打包等优秀的特性,更为React的开发提供了便利.其优秀的特性不再 ...
- Shiro+CAS
参考链接: CAS实现单点登录SSO执行原理探究:http://blog.csdn.net/javaloveiphone/article/details/52439613 单点登录CAS技术概述:ht ...
- postgresql数据库备份
一.工具备份数据 打开windows下的命令窗口:开始->cmd->安装数据库的目录->进入bin目录: 导出命令:pg_dump –h localhost –U postgres ...
- 完整安装always on 集群
1. 四台已安装windows server 2008 r2 系统的虚拟机,配置如下: CPU : 1核 MEMORY : 2GB DISK : 40GB(未分区) NetAdapter : 2块 ...
- nginx+python+windows 开始
参考文章:http://www.testwo.com/article/311 参考如上文章基本能够完成hello world示例,我来记录下自己操作步骤及不同点,用以备忘,如果能帮助到其他人更好. 以 ...