rigacci.org

User Tools

Site Tools

Trace:
doc:appunti:linux:sa:ulogd2

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
doc:appunti:linux:sa:ulogd2 [2025/04/03 12:19] – [/etc/ulogd.conf] niccolodoc:appunti:linux:sa:ulogd2 [2025/04/03 12:43] (current) – [/etc/logrotate.d/ulogd2] niccolo
Line 36: Line 36:
     * ''LOGEMU'' refers to a custom logging output (generally referred as a //logging emulator//).     * ''LOGEMU'' refers to a custom logging output (generally referred as a //logging emulator//).
     * This is the output plugin module which is responsible for sending logs to a file, database, or another destination.     * This is the output plugin module which is responsible for sending logs to a file, database, or another destination.
- 
  
 === Configuring the NFCT Netfilter Connection Tracking === === Configuring the NFCT Netfilter Connection Tracking ===
Line 65: Line 64:
  
 This means that the log is written in the specified file, every log entry is flushed immediately to the disk due the ''sync=1'' option. This means that the log is written in the specified file, every log entry is flushed immediately to the disk due the ''sync=1'' option.
 +
 +==== Bitmask Breakdown of event_mask in NFCT ====
 +
 +^ Bit Position  ^ Hex Value  ^ Decimal Value  ^ Event Description  ^
 +|     0 |  0x00000001 |    1 | **New connection** (conntrack entry created)  |
 +|     1 |  0x00000002 |    2 | **Connection update** (state changes, e.g., from SYN_SENT to ESTABLISHED)  |
 +|     2 |  0x00000004 |    4 | **Destroyed connection** (entry removed from conntrack table)  |
 +|     3 |  0x00000008 |    8 | **Assured connection** (fully established, unlikely to be dropped)  |
 +|     4 |  0x00000010 |   16 | **Confirmed connection** (packet has been seen in both directions)  |
 +|     5 |  0x00000020 |   32 | **Expectation event** (related to NAT helper expectations)  |
 +|     6 |  0x00000040 |   64 | **Helper event** (connection helper activity, e.g., FTP, SIP)  |
 +|     7 |  0x00000080 |  128 | **Destroy by GC** (garbage collector removed the connection)  |
 +|  8-31 |           - |    - | (Reserved or unused in most implementations)  |
 +
 +So if I want to track new and destroyed connections, the event_mask mus be set to 0x00000001 + 0x00000004 = 0x00000005.
 +
 +==== Logging bytes_sent and bytes_received ====
 +
 +Check that conntrack has the **bytes=** field in this output:
 +
 +<code>
 +conntrack -L -o extended
 +</code>
 +
 +Run the following:
 +
 +<code>
 +sysctl -w net.netfilter.nf_conntrack_acct=1
 +</code>
 +
 +for permanent setting across reboot create the file **/etc/sysctl.d/99-nf_conntrack_acct.conf** with:
 +
 +<file>
 +net.netfilter.nf_conntrack_acct=1
 +</file>
  
  
doc/appunti/linux/sa/ulogd2.1743675540.txt.gz · Last modified: 2025/04/03 12:19 by niccolo