apt install ulogd2

We configure one plugin stack adding this line into the configuration file:

# Custom stack for logging connections metadata.
stack=ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,emu1:LOGEMU

This stack definition in the ulog2 configuration file defines a pipeline of processing modules that handle network flow data. Each module in the stack performs a specific transformation or logging function. Here's a breakdown of the components:

1. ct1:NFCT
   • NFCT stands for Netfilter Connection Tracking.
   • This module extracts connection tracking (conntrack) information from packets, such as session state, source/destination IPs, and ports.
2. ip2str1:IP2STR
   • IP2STR converts IP addresses into human-readable string representations.
   • This ensures that logs display IP addresses in standard notation instead of numerical or binary formats.
3. print1:PRINTFLOW
   • PRINTFLOW formats and prints the logged packet or flow information.
   • This is useful for debugging or human-readable log output.
4. emu1:LOGEMU
   • LOGEMU refers to a custom logging output (generally referred as a logging emulator).
   • This module is responsible for sending logs to a file, database, or another destination.

[ct1]
event_mask=0x00000001
hash_enable=0

• Input plugin
• None, one or multiple filter plugins
• One output plugin

In the example above we use the NFCT input plugin, which interfaces with the nfnetlink_conntrack kernel subsystem, and provides flow-based logging.

The option hash_enable …

systemctl enable ulogd2.service
systemctl start ulogd2.service