rigacci.org

User Tools

Site Tools

Trace: ksoftirqd process utilizes 100% of a CPU Gestione archivi afio e cpio debootstrap per installare Debian Tripwire Monitoraggio con ulogd2 Linux netfilter nf_conntrack_expect
doc:appunti:linux:sa:ulogd2

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
doc:appunti:linux:sa:ulogd2 [2025/04/03 12:15] – [/etc/ulogd.conf] niccolodoc:appunti:linux:sa:ulogd2 [2025/04/03 12:43] (current) – [/etc/logrotate.d/ulogd2] niccolo
Line 36: Line 36:
     * ''LOGEMU'' refers to a custom logging output (generally referred as a //logging emulator//).     * ''LOGEMU'' refers to a custom logging output (generally referred as a //logging emulator//).
     * This is the output plugin module which is responsible for sending logs to a file, database, or another destination.     * This is the output plugin module which is responsible for sending logs to a file, database, or another destination.
- 
  
 === Configuring the NFCT Netfilter Connection Tracking === === Configuring the NFCT Netfilter Connection Tracking ===
Line 53: Line 52:
  
 These two modules are used at their defaults, no custom configuration is used for their instances. These two modules are used at their defaults, no custom configuration is used for their instances.
 +
 +=== The LOGEMU module ===
 +
 +The **LOGEMU** modules is configured as follow in the same configuration file:
 +
 +<code>
 +[emu1]
 +file="/var/log/ulog/syslogemu.log"
 +sync=1
 +</code>
 +
 +This means that the log is written in the specified file, every log entry is flushed immediately to the disk due the ''sync=1'' option.
 +
 +==== Bitmask Breakdown of event_mask in NFCT ====
 +
 +^ Bit Position  ^ Hex Value  ^ Decimal Value  ^ Event Description  ^
 +|     0 |  0x00000001 |    1 | **New connection** (conntrack entry created)  |
 +|     1 |  0x00000002 |    2 | **Connection update** (state changes, e.g., from SYN_SENT to ESTABLISHED)  |
 +|     2 |  0x00000004 |    4 | **Destroyed connection** (entry removed from conntrack table)  |
 +|     3 |  0x00000008 |    8 | **Assured connection** (fully established, unlikely to be dropped)  |
 +|     4 |  0x00000010 |   16 | **Confirmed connection** (packet has been seen in both directions)  |
 +|     5 |  0x00000020 |   32 | **Expectation event** (related to NAT helper expectations)  |
 +|     6 |  0x00000040 |   64 | **Helper event** (connection helper activity, e.g., FTP, SIP)  |
 +|     7 |  0x00000080 |  128 | **Destroy by GC** (garbage collector removed the connection)  |
 +|  8-31 |           - |    - | (Reserved or unused in most implementations)  |
 +
 +So if I want to track new and destroyed connections, the event_mask mus be set to 0x00000001 + 0x00000004 = 0x00000005.
 +
 +==== Logging bytes_sent and bytes_received ====
 +
 +Check that conntrack has the **bytes=** field in this output:
 +
 +<code>
 +conntrack -L -o extended
 +</code>
 +
 +Run the following:
 +
 +<code>
 +sysctl -w net.netfilter.nf_conntrack_acct=1
 +</code>
 +
 +for permanent setting across reboot create the file **/etc/sysctl.d/99-nf_conntrack_acct.conf** with:
 +
 +<file>
 +net.netfilter.nf_conntrack_acct=1
 +</file>
 +
  
  
doc/appunti/linux/sa/ulogd2.1743675321.txt.gz · Last modified: 2025/04/03 12:15 by niccolo