参考资料:

  https://blog.csdn.net/eydwyz/article/details/52456335

  https://blog.csdn.net/chinalinuxzend/article/details/1765249

  https://rlworkman.net/howtos/ulogd.html

./README

===> IDEA

This packages is intended for doing all netfilter related logging inside a
userspace process.  This includes
    - logging of ruleset violations via ipt_ULOG (kernel 2.4.18+)
    - logging of ruleset violations via nfnetlink_log (kernel 2.6.14+)
    - logging of connection startup/teardown (kernel 2.6.14+)
    - connection-based accounting  (kernel 2.6.14+)

在守护进程中做netfilter相关的各种统计工作。

工作原理
- Register a target called ULOG with iptables
- if the target is hit:
- send the packet out using netlink multicast facility
- return NF_CONTINUE immediately

简单翻译一下,工作原理就是:

  通过 iptables 下发规则到内核,匹配相应规则之后,内核将通过 netlink 将消息

发送到用户态,然后报文在内核态继续执行。

  输出支持直接将结果写到database中,需要提前预设database,修改ulogd配置。

关于下边相关的几个插件:

Input Plugins

Input plugins acts data source. They get data from somewhere outside of ulogd, and convert it into a list of ulogd keys.

Filter Plugins

Filter plugins interpret(解释) and/or filter(过滤) data that was received from the Input Plugin. A good example is parsing a raw packet into IPv4 / TCP / ... header information.

Output Plugins

Output plugins describe how and where to put the information gained by the Input Plugin and processed by one or more Filter Plugins. The easiest way is to build a line per packet and fprint it to a file. Some people might want to log into a SQL database or want an output conforming to the IETF IPFIX language.

5. Available plugins

It is important to understand that ulogd without plugins does nothing. It will receive packets, and do nothing with them.

There are two kinds of plugins, interpreter and output plugins. Interpreter plugins parse the packet, output plugins write the interpreted information to some logfile/database/...

===> CONTENTS
= ulogd daemon (ulogd)
A sophisticated logging daemon core which uses a plugin for about anything. The
daemon provides a plugin API for
    - input plugins
    - filter plugins
    - output plugins
= documentation (doc)
A quite verbose documentation of this package and it's configuration exists,
please actually make use of it and read it :)

===> USAGE

To be able to build ulogd, you need to have working developement files and
and libraries for:
 - libnfnetlink
 - libmnl
 - libnetfilter_log         [optional]
 - libnetfilter_conntrack    [optional]
 - libnetfilter_acct        [optional]

Output plugins are build if the needed library and headers are found. This
includes:
 - PCAP: libpcap
 - PGSQL: libpq
 - MySQL: libmysqlclient
 - SQLITE3: libsqlite3
 - DBI: libdbi

The build procedure is standard:
 $ ./configure
 $ make
 $ sudo make install

After build, you need to edit the ulogd.conf file to define a stack or more
to use.

===> EXAMPLES

= NFLOG(防火墙log) usage

At first a simple example, which passes every outgoing packet to the
userspace logging, using nfnetlink group 3.

iptables -A OUTPUT -j NFLOG --nflog-group 3

A more advanced one, passing all incoming tcp packets with destination
port 80 to the userspace logging daemon listening on netlink multicast
group 32. All packets get tagged with the ulog prefix "inp"

iptables -A INPUT -j NFLOG -p tcp --dport 80 --nflog-group 32 --nflog-prefix inp

See iptables -j NFLOG -h for complete information about NFLOG.

= NFCT(链接跟踪) usage

To use connection logging, simply activate in ulogd.conf one stack using
the NFCT plugin.

For example, the following stack will do flow-based logging via
LOGEMU:

stack=ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,emu1:LOGEMU(配置文件中的相关配置)

= NFACCT(防火墙统计) usage

On ulogd side, activate a stack using the NFACCT module.

You then need to create counters:
 # nfacct add ipv4.tcp
 # nfacct add ipv6.tcp.443 (是一个新的命令,需要重新安装)

Once this is done, you can then create iptables matching rule that will increment
each time a packet hit them:

# iptables -A FORWARD -p tcp -m nfacct --nfacct-name ipv4.tcp(配置的是一个转发链,pc机验证时候建议设置成INPUT、OUTPUT)
 # ip6tables -A FORWARD -p tcp  --dport 443 -m nfacct --nfacct-name ipv6.tcp.443
 # ip6tables -A FORWARD -p tcp  --sport 443 -m nfacct --nfacct-name ipv6.tcp.443

NFACCT plugin will then dump periodically the counters and trigger an update of the
output corresponding to the active stacks.

===> COPYRIGHT + CREDITS

The code and documentation is
    (C) 2000-2006 by Harald Welte <laforge@gnumonks.org>
    (C) 2008-2012 Pablo Neira Ayuso <pablo@netfilter.org>
    (C) 2008-2013 Eric Leblond <eric@regit.org>

Thanks also to the valuable contributions of Daniel Stone, Alexander Janssen,
Michael Stolovitzsky and Jozsef Kadlecsik.

Credits to Rusty Russell, James Morris, Marc Boucher and all the other
netfilter hackers.

ulogd(一)的更多相关文章

  1. iptables日志探秘

    iptables日志探秘 防火墙的主要功能除了其本身能进行有效控制网络访问之外,还有一个很重要的功能就是能清晰地记录网络上的访问,并自动生成日志进行保存.虽然日志格式会因防火墙厂商的不同而形态各异,但 ...

  2. iptables rule

    和H3C中的acl很像,或者就是一会事,这就是不知道底层的缺陷,形式一变,所有的积累都浮云了 参考准确的说copy from http://www.ibm.com/developerworks/cn/ ...

  3. Linux下编译内核配置选项简介

    Code maturity level options代码成熟度选项 Prompt for development and/or incomplete code/drivers 显示尚在开发中或尚未完 ...

  4. Linux: 介绍make menuconfig中的每个选项含义【转】

    转自:http://blog.csdn.net/gaoyuanlinkconcept/article/details/8810468 介绍make menuconfig中的每个选项含义 Linux 2 ...

  5. 【内核】linux2.6版本内核编译配置选项(一)

    Linux 2.6.19.x 内核编译配置选项简介 作者:金步国 版权声明 本文作者是一位自由软件爱好者,所以本文虽然不是软件,但是本着 GPL 的精神发布.任何人都可以自由使用.转载.复制和再分发, ...

  6. Iptables 指南 1.1.19

    Iptables 指南 1.1.19 Oskar Andreasson oan@frozentux.net Copyright © 2001-2003 by Oskar Andreasson 本文在符 ...

  7. iptables原理及使用教程

    注意 修改iptables可能导致连接断开, 对于远程连接的用户, 需要在经过充分测试后在修改, 对于懒人可以设置一个crontab, 在你修改iptables的过程中每隔30分钟清空一次iptabl ...

  8. Linux操作系统的文件查找工具locate和find命令常用参数介绍

    Linux操作系统的文件查找工具locate和find命令常用参数介绍 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. 一.非实时查找(数据库查找)locate工具  locate命 ...

  9. ccze - A robust log colorizer(强大的日志着色器)

    这些程序遵循通常的GNU命令行语法,长选项以两个破折号(` - ')开头.选项摘要如下. -a, - argument PLUGIN = ARGUMENTS              使用此选项将AR ...

随机推荐

  1. dapper List SqlBulkCopy

    using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.D ...

  2. sequelize的mssql配置

    配置文件 development: { username: process.env.LOCAL_USERNAME, password: process.env.LOCAL_PASSWORD, data ...

  3. java中的内部类详解

    https://www.cnblogs.com/dolphin0520/p/3811445.html https://www.cnblogs.com/chenssy/p/3388487.html

  4. php调用API支付接口 可个人使用,无需营业执照(使用第三方接口,调用的天工接口。)

    首先访问  https://charging.teegon.com/  注册账号, 找到开发配置   记下client_id和client_secret. 点击 天工开放平台 点击天工收银 点击  S ...

  5. solr6.4.1搜索引擎(4)tomcat重启后数据加载缓慢或丢失

    解决tomcat重启后数据加载缓慢或丢失 我们在首次全量导入和第二次增量导入数据都成功后,在研究solr过程中,会反复重启tomcat. 我们会发现在重启tomcat后,core的data目录下明明已 ...

  6. Ajax传递json数据简介和一个需要注意的小问题

    Ajax传递json数据 Ajax操作与json数据格式在实际中的运用十分广泛,本文为大家介绍一个两者相结合的小案例: 项目结构 我们新建一个Django项目,在里面创建一个名为app01的应用: p ...

  7. Numpy学习笔记(一)

    (1)NumPy的核心对象 ndarray  用于表示N 维数组类型.它描述相同类型的元素集合. 可以使用基于零的索引访问集合中的项目. (2)Ndarray的创建 可以使用numpy.array() ...

  8. 实验三:xen环境下的第一个虚拟机的安装

    实验名称: xen环境下的第一个虚拟机的安装 实验环境: 我们这里继续上面实验二来完成这个实验: 环境则是xen的安装环境,如下图: 开启虚拟机的的硬件辅助虚拟化功能: 实验要求: 这里我们通过安装b ...

  9. C# 自定义异常的方法源码演示及说明

    内容之余,把做工程过程中较好的内容段备份一下,下边内容是关于C# 自定义异常的方法演示及说明的内容,希望能对各位朋友有一些好处. using System;using System.Collectio ...

  10. OpenCV代码:画出轮廓的外接矩形,和中心点

    #include <opencv2/highgui/highgui.hpp> #include <opencv2/imgproc/imgproc.hpp> #include & ...