Differences

This shows you the differences between two versions of the page.

--- doc:appunti:linux:sa:ulogd2 [2025/02/17 16:52] – created niccolo
+++ doc:appunti:linux:sa:ulogd2 [2025/04/03 12:43] (current) – [/etc/logrotate.d/ulogd2] niccolo
@@ Line 5: / Line 5: @@
 </code>
+==== /etc/ulogd.conf ====
+In the configuration file **/etc/ulogd.conf** we configure one **plugin stack** adding this line:
+<file>
+# Custom stack for logging connections metadata.
+stack=ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,emu1:LOGEMU
+</file>
+This **stack** definition in the ulog2 configuration file defines a **pipeline of processing modules** that handle network flow data. Each module in the stack performs a specific transformation or logging function. Every stack definition requires:
+  - One input plugin
+  - None, one or multiple filter plugins
+  - One output plugin
+Each plugin module in the stack is referenced with an **instance_name**:**module_type**, where the //instance_name// is an arbitrary string used to identify that specific instance of the //module_type//. The //instance_name// is used also to configure the instance in the same configuration file.
+Here's a breakdown of the components in the stack defined above:
+  - **ct1:NFCT**
+    * ''NFCT'' stands for **Netfilter Connection Tracking**.
+    * This input plogin module extracts connection tracking (conntrack) information from packets, such as session state, source/destination IPs, and ports.
+  - **ip2str1:IP2STR**
+    * ''IP2STR'' converts IP addresses into human-readable string representations.
+    * This ensures that logs display IP addresses in standard notation instead of numerical or binary formats.
+  - **print1:PRINTFLOW**
+    * ''PRINTFLOW'' formats and prints the logged packet or flow information.
+    * This is useful for debugging or human-readable log output.
+  - **emu1:LOGEMU**
+    * ''LOGEMU'' refers to a custom logging output (generally referred as a //logging emulator//).
+    * This is the output plugin module which is responsible for sending logs to a file, database, or another destination.
+=== Configuring the NFCT Netfilter Connection Tracking ===
+The //instance_name// **ct1** is used in the same configuration file to configure the NFCT module (which interfaces with the **nfnetlink_conntrack** kernel subsystem).
+<file>
+[ct1]
+event_mask=0x00000001
+hash_enable=0
+</file>
+In this case the module will consider only **new connections** packets because the bitmask 0x00000001 matches new connections only. The option ''hash_enable=0'' means that no memory will be used to track connections, this will in the other and, slow down the processing of packets.
+=== The IP2STR and PRINTFLOW modules ===
+These two modules are used at their defaults, no custom configuration is used for their instances.
+=== The LOGEMU module ===
+The **LOGEMU** modules is configured as follow in the same configuration file:
+<code>
+[emu1]
+file="/var/log/ulog/syslogemu.log"
+sync=1
+</code>
+This means that the log is written in the specified file, every log entry is flushed immediately to the disk due the ''sync=1'' option.
+==== Bitmask Breakdown of event_mask in NFCT ====
+^ Bit Position  ^ Hex Value  ^ Decimal Value  ^ Event Description  ^
+|     0 |  0x00000001 |    1 | **New connection** (conntrack entry created)  |
+|     1 |  0x00000002 |    2 | **Connection update** (state changes, e.g., from SYN_SENT to ESTABLISHED)  |
+|     2 |  0x00000004 |    4 | **Destroyed connection** (entry removed from conntrack table)  |
+|     3 |  0x00000008 |    8 | **Assured connection** (fully established, unlikely to be dropped)  |
+|     4 |  0x00000010 |   16 | **Confirmed connection** (packet has been seen in both directions)  |
+|     5 |  0x00000020 |   32 | **Expectation event** (related to NAT helper expectations)  |
+|     6 |  0x00000040 |   64 | **Helper event** (connection helper activity, e.g., FTP, SIP)  |
+|     7 |  0x00000080 |  128 | **Destroy by GC** (garbage collector removed the connection)  |
+|  8-31 |           - |    - | (Reserved or unused in most implementations)  |
+So if I want to track new and destroyed connections, the event_mask mus be set to 0x00000001 + 0x00000004 = 0x00000005.
+==== Logging bytes_sent and bytes_received ====
+Check that conntrack has the **bytes=** field in this output:
+<code>
+conntrack -L -o extended
+</code>
+Run the following:
+<code>
+sysctl -w net.netfilter.nf_conntrack_acct=1
+</code>
+for permanent setting across reboot create the file **/etc/sysctl.d/99-nf_conntrack_acct.conf** with:
+<file>
+net.netfilter.nf_conntrack_acct=1
+</file>
+==== /etc/logrotate.d/ulogd2 ====
 <code>