====== Monitoraggio con ulogd2 ======

<code>
apt install ulogd2
</code>

==== /etc/ulogd.conf ====

In the configuration file **/etc/ulogd.conf** we configure one **plugin stack** adding this line:

<file>
# Custom stack for logging connections metadata.
stack=ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,emu1:LOGEMU
</file>

This **stack** definition in the ulog2 configuration file defines a **pipeline of processing modules** that handle network flow data. Each module in the stack performs a specific transformation or logging function. Every stack definition requires:

  - One input plugin
  - None, one or multiple filter plugins
  - One output plugin

Each plugin module in the stack is referenced with an **instance_name**:**module_type**, where the //instance_name// is an arbitrary string used to identify that specific instance of the //module_type//. The //instance_name// is used also to configure the instance in the same configuration file.

Here's a breakdown of the components in the stack defined above:

  - **ct1:NFCT**
    * ''NFCT'' stands for **Netfilter Connection Tracking**.
    * This input plogin module extracts connection tracking (conntrack) information from packets, such as session state, source/destination IPs, and ports.
  - **ip2str1:IP2STR**
    * ''IP2STR'' converts IP addresses into human-readable string representations.
    * This ensures that logs display IP addresses in standard notation instead of numerical or binary formats.
  - **print1:PRINTFLOW**
    * ''PRINTFLOW'' formats and prints the logged packet or flow information.  
    * This is useful for debugging or human-readable log output.
  - **emu1:LOGEMU**
    * ''LOGEMU'' refers to a custom logging output (generally referred as a //logging emulator//).
    * This is the output plugin module which is responsible for sending logs to a file, database, or another destination.

=== Configuring the NFCT Netfilter Connection Tracking ===

The //instance_name// **ct1** is used in the same configuration file to configure the NFCT module (which interfaces with the **nfnetlink_conntrack** kernel subsystem).

<file>
[ct1]
event_mask=0x00000001
hash_enable=0
</file>

In this case the module will consider only **new connections** packets because the bitmask 0x00000001 matches new connections only. The option ''hash_enable=0'' means that no memory will be used to track connections, this will in the other and, slow down the processing of packets.

=== The IP2STR and PRINTFLOW modules ===

These two modules are used at their defaults, no custom configuration is used for their instances.

=== The LOGEMU module ===

The **LOGEMU** modules is configured as follow in the same configuration file:

<code>
[emu1]
file="/var/log/ulog/syslogemu.log"
sync=1
</code>

This means that the log is written in the specified file, every log entry is flushed immediately to the disk due the ''sync=1'' option.

==== Bitmask Breakdown of event_mask in NFCT ====

^ Bit Position  ^ Hex Value  ^ Decimal Value  ^ Event Description  ^
|     0 |  0x00000001 |    1 | **New connection** (conntrack entry created)  |
|     1 |  0x00000002 |    2 | **Connection update** (state changes, e.g., from SYN_SENT to ESTABLISHED)  |
|     2 |  0x00000004 |    4 | **Destroyed connection** (entry removed from conntrack table)  |
|     3 |  0x00000008 |    8 | **Assured connection** (fully established, unlikely to be dropped)  |
|     4 |  0x00000010 |   16 | **Confirmed connection** (packet has been seen in both directions)  |
|     5 |  0x00000020 |   32 | **Expectation event** (related to NAT helper expectations)  |
|     6 |  0x00000040 |   64 | **Helper event** (connection helper activity, e.g., FTP, SIP)  |
|     7 |  0x00000080 |  128 | **Destroy by GC** (garbage collector removed the connection)  |
|  8-31 |           - |    - | (Reserved or unused in most implementations)  |

So if I want to track new and destroyed connections, the event_mask mus be set to 0x00000001 + 0x00000004 = 0x00000005.

==== Logging bytes_sent and bytes_received ====

Check that conntrack has the **bytes=** field in this output:

<code>
conntrack -L -o extended
</code>

Run the following:

<code>
sysctl -w net.netfilter.nf_conntrack_acct=1
</code>

for permanent setting across reboot create the file **/etc/sysctl.d/99-nf_conntrack_acct.conf** with:

<file>
net.netfilter.nf_conntrack_acct=1
</file>



==== /etc/logrotate.d/ulogd2 ====

<code>
systemctl enable ulogd2.service
systemctl start ulogd2.service
</code>