ulogd2.0的装配

ulogd2.0的安装

参考文章：http://www.wzdftpd.net/blog/index.php?post/2008/04/05/19-ulogd2-the-new-userspace-logging-daemon-for-netfilter-iptables-part-2

ulogd2.0.1的下载地址：http://www.netfilter.org/projects/ulogd/downloads.html

安装ulogd2.0.1之前需要安装的软件包如下：

• libnfnetlink that provides basic communication infrastructure via Netlink.
• libmnl that provides basic communication infrastructure via Netlink, this library will supersede libnfnetlink. Still, we require both libraries as we are still in transition to entirely replace libnfnetlink by libmnl.
• libnetfilter_log for stateless packet-based logging via nfnetlink_queue.
• libnetfilter_conntrack for stateful flow-based via nf_conntrack_netlink.
• libnetfilter_acct for flexible traffic accounting via nfnetlink_acct and iptables nfacct match (it requires Linux kernel >= 3.3.x).This requires a Linux kernel >= 2.6.14, but Linux kernel >= 2.6.18 is strongly recommended. Note that if you need SQL database output suport, you will need the header files of the respective libraries.
  

  建议如上安装包直接安装到/usr/local/lib目录下

  如果要把ulogd产生的日志记录到mysql数据中，那应先安装mysql数据库

  安装mysql数据库请参考：http://blog.csdn.net/dlutxie/article/details/8243359

  http://blog.csdn.net/dlutxie/article/details/8218078
  

  
  

  安装ulogd2.0命令如下：

  tar xvf ulogd-2.0.1.tar.gz

  cd ulogd-2.0.1

  ./configure --prefix=/usr/local/ulogd  --with-mysql=/usr/local/mysql #如果要增加调试选项，那可在后面加上CFLAGS=" -g -DDEBUG"
  

  即：./configure --prefix=/usr/local/ulogd --with-mysql=/usr/local/mysql CFLAGS=" -g -DDEBUG"

  make

  make install

  在/etc/ld.so.conf文件中加入：/usr/local/ulogd/sbin 

  修改配置文件如下：

  配置文件下载地址：http://download.csdn.net/detail/dlutxie/5099951

  
  # logfile for status messages
  logfile="/var/log/ulogd/ulogd.log"  
  
  # this is a stack for logging packet to MySQL 注意，这块只能用log1，用log2不能将数据记录到数据库中！！！
  stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2bin1:IP2BIN,mac2str1:HWHDR,ipd2str1:IP2STR,printpkt1:PRINTPKT,mysql1:MYSQL
  #stack=log2:ULOG,base1:BASE,ip2bin1:IP2BIN,mysql1:MYSQL
  
  # Logging of system packet through NFLOG
  [log1]
  # netlink multicast group (the same as the iptables --nflog-group param)
  # Group O is used by the kernel to log connection tracking invalid message
  group=0
  #netlink_socket_buffer_size=217088
  #netlink_socket_buffer_maxsize=1085440
  # set number of packet to queue inside kernel
  #netlink_qthreshold=1
  # set the delay before flushing packet in the queue inside kernel (in 10ms)
  #netlink_qtimeout=100
  
  # packet logging through NFLOG for group 1
  [log2]
  # netlink multicast group (the same as the iptables --nflog-group param)
  group=1 # Group has to be different from the one use in log1
  netlink_socket_buffer_size=217088
  netlink_socket_buffer_maxsize=1085440
  # If your kernel is older than 2.6.29 and if a NFLOG input plugin with
  # group 0 is not used by any stack, you need to have at least one NFLOG
  # input plugin with bind set to 1. If you don't do that you may not
  # receive any message from the kernel.
  bind=1
  
  # packet logging through NFLOG for group 2, numeric_label is
  # set to 1
  [log3]
  # netlink multicast group (the same as the iptables --nflog-group param)
  group=2 # Group has to be different from the one use in log1/log2
  numeric_label=1 # you can label the log info based on the packet verdict
  #netlink_socket_buffer_size=217088
  #netlink_socket_buffer_maxsize=1085440
  #bind=1
  
  [mysql1]
  db="ulogd"
  host="localhost"
  user="root"
  table="ulog"   #注意，这块只能是ulog（新的数据库表ulog只是一个视图）,而不是ulog2
  pass="root"
  procedure="INSERT_PACKET_FULL "
  charset="utf8"  #这一个是我修改了ulogd_output_MYSQL.c源文件之后加上的，目的是为了解决中文乱码问题
  
  [mysql2]
  db="ulogd"
  host="localhost"
  user="ulogd"
  table="ulog2_ct"
  pass="ulogd"
  procedure="INSERT_CT"
  charset="utf8"
  
  

  建立ulogd日志的目录：mkdir -pv  /var/log/ulogd

  ulogd_output_MYSQL.c：修后改的源文件下载地址：http://download.csdn.net/detail/dlutxie/5099927
  

  修改后的mysql-ulogd2.sql 文件下载地址：http://download.csdn.net/detail/dlutxie/5099937

  建立数据库表：

  1.建数据库，这里建数据库时指定了字符集，要不中文可能乱码

  echo "create database ulogd character set utf8;" | mysql -u root -proot   

  2.建数据库表，这里自带的建表所用的默认字符集为latin1,如果中文乱码，那请改为 utf8或gbk
  /usr/local/mysql/bin/mysql -u root -proot -D ulogd < ./doc/mysql-ulogd2.sql  
  

  3.添加用户及权限

  echo "grant create, insert, select, delete, update on ulogd.* to ulogd@localhost identified by 'ulogd'" | /usr/local/mysql/bin/mysql -u root -proot
  

  
  

  编码ulogd中可能出现的问题：

  ulogd_output_MYSQL.c:47:25: error: mysql/mysql.h: No such file or directory
  

  make[3]: *** [ulogd_output_MYSQL.lo] Error 1
  

  将ulogd-2.0.1/output/mysql/ulogd_output_MYSQL.c文件中的#include<mysql/mysql.h>修改为：#include</usr/local/mysql/include/mysql.h>，这里的mysql是安装在/usr/local/mysql目录下的

  
  

  ulogd_output_PCAP.c:32:18: error: pcap.h: No such file or directory

  下载个pcap安装包安装上就行

  
  

  Mon Dec  3 21:15:44 2012 <7> ulogd.c:727 cannot find key `label' in stack
  Mon Dec  3 21:15:44 2012 <1> ulogd.c:873 destroying stack
  Mon Dec  3 21:15:44 2012 <8> ulogd.c:1189 not even a single working plugin stack
  

  这个问题是由于配置文件中mysql那一节的table设为ulog2造成的，改为：ulog就行

  
  

  ulogd2.0各插件的键值信息可通过：ulogd  -i  插件名 查看

  如： ulogd  -i  ulogd/sbin/ulogd -i /usr/local/ulogd/lib/ulogd/ulogd_inppkt_NFLOG.so 
  Name: NFLOG
  Config options:
  Var: bufsize (Integer, Default: 150000)
  Var: group (Integer, Default: 0)
  Var: unbind (Integer, Default: 1)
  Var: bind (Integer, Default: 0)
  Var: seq_local (Integer, Default: 0)
  Var: seq_global (Integer, Default: 0)
  Var: numeric_label (Integer, Default: 0)  # raw_label
  Var: netlink_socket_buffer_size (Integer, Default: 0)
  Var: netlink_socket_buffer_maxsize (Integer, Default: 0)
  Var: netlink_qthreshold (Integer, Default: 0)
  Var: netlink_qtimeout (Integer, Default: 0)
  Input keys:
  Input plugin, No keys
  Output keys:
  Key: raw.mac (raw data)       # NFULA_HWHEADER   
  Key: raw.pkt (raw data)       # NFLOG_KEY_RAW_PCKT  opaque data payload 
  Key: raw.pktlen (unsigned int 32)
  Key: raw.pktcount (unsigned int 32)    # 恒为1
  Key: oob.prefix (string)               # NFULA_PREFIX  由 --nflog-prefix 指定
  Key: oob.time.sec (unsigned int 32)    # NFULA_TIMESTAMP  seconds 1970-1-1到当前时间的秒数
  Key: oob.time.usec (unsigned int 32)   # NFULA_TIMESTAMP  micoseconds
  Key: oob.mark (unsigned int 32)        # Generic packet mark   NFULA_MARK
  Key: oob.ifindex_in (unsigned int 32)   #桥接输入口  NFULA_IFINDEX_INDEV
  Key: oob.ifindex_out (unsigned int 32)  #桥接输出口  NFULA_IFINDEX_OUTDEV
  Key: oob.hook (unsigned int 8)          # NFULA_PACKET_HDR  NFLOG_KEY_OOB_HOOK
  Key: raw.mac_len (unsigned int 16)     # NFULA_HWLEN
  Key: oob.seq.local (unsigned int 32)   # instance-local sequence number
  Key: oob.seq.global (unsigned int 32)  # global sequence number
  Key: oob.family (unsigned int 8)       # 协议簇，对于ipv4而言，是PF_INET  socket.h
  Key: oob.protocol (unsigned int 16)    # NFULA_PACKET_HDR  NFLOG_KEY_OOB_PROTOCOL
  Key: oob.uid (unsigned int 32)    # UID for VFS ops user id of socket    NFULA_UID
  Key: oob.gid (unsigned int 32)    # GID for VFS ops group id of socket    NFULA_GID
  Key: raw.label (unsigned int 8)  #这个由配置文件numeric_label设置
  Key: raw.type (unsigned int 16)    # 接口硬件类型 1为以太网，定义在 include/linux/if_arp.h里
  Key: raw.mac.saddr (raw data)
  Key: raw.mac.addrlen (unsigned int 16)
  Key: raw (raw data)              # NFLOG_KEY_RAW 原始数据  nflog_data *ldata 数组
  
  raw.type 参考如下链接：
  http://www.iana.org/assignments/arp-parameters/arp-parameters.xml
  http://iana.org/protocols
  
  http://www.nirtec.com/hardware/hardware.htm
  INTERFACES TYPES
  
  http://blog.csdn.net/lamdoc/article/details/7873120
   sk_buff 定义及其操作
  
  hooknum这个成员用于指定安装的这个函数对应的具体的hook类型:
          NF_IP_PRE_ROUTING  0  在完整性校验之后，选路确定之前
          NF_IP_LOCAL_IN     1   在选路确定之后，且数据包的目的是本地主机
          NF_IP_FORWARD      2  目的地是其它主机地数据包
          NF_IP_LOCAL_OUT    3    来自本机进程的数据包在其离开本地主机的过程中
          NF_IP_POST_ROUTING 4   在数据包离开本地主机“上线”之前