Table of Contents

Monitoraggio con ulogd2

apt install ulogd2

/etc/ulogd.conf

In the configuration file /etc/ulogd.conf we configure one plugin stack adding this line: 

# Custom stack for logging connections metadata.
stack=ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,emu1:LOGEMU

This stack definition in the ulog2 configuration file defines a pipeline of processing modules that handle network flow data. Each module in the stack performs a specific transformation or logging function. Every stack definition requires:

  1. One input plugin
  2. None, one or multiple filter plugins
  3. One output plugin

Each plugin module in the stack is referenced with an instance_name:module_type, where the instance_name is an arbitrary string used to identify that specific instance of the module_type. The instance_name is used also to configure the instance in the same configuration file.

Here's a breakdown of the components in the stack defined above:

  1. ct1:NFCT
    • NFCT stands for Netfilter Connection Tracking.
    • This input plogin module extracts connection tracking (conntrack) information from packets, such as session state, source/destination IPs, and ports.
  2. ip2str1:IP2STR
    • IP2STR converts IP addresses into human-readable string representations.
    • This ensures that logs display IP addresses in standard notation instead of numerical or binary formats.
  3. print1:PRINTFLOW
    • PRINTFLOW formats and prints the logged packet or flow information.
    • This is useful for debugging or human-readable log output.
  4. emu1:LOGEMU
    • LOGEMU refers to a custom logging output (generally referred as a logging emulator).
    • This is the output plugin module which is responsible for sending logs to a file, database, or another destination.

Configuring the NFCT Netfilter Connection Tracking

The instance_name ct1 is used in the same configuration file to configure the NFCT module (which interfaces with the nfnetlink_conntrack kernel subsystem). 

[ct1]
event_mask=0x00000001
hash_enable=0

In this case the module will consider only new connections packets because the bitmask 0x00000001 matches new connections only. The option hash_enable=0 means that no memory will be used to track connections, this will in the other and, slow down the processing of packets.

The IP2STR and PRINTFLOW modules

These two modules are used at their defaults, no custom configuration is used for their instances.

The LOGEMU module

The LOGEMU modules is configured as follow in the same configuration file: 

[emu1]
file="/var/log/ulog/syslogemu.log"
sync=1

This means that the log is written in the specified file, every log entry is flushed immediately to the disk due the sync=1 option.

Bitmask Breakdown of event_mask in NFCT

Bit Position Hex Value Decimal Value Event Description
0 0x00000001 1 New connection (conntrack entry created)
1 0x00000002 2 Connection update (state changes, e.g., from SYN_SENT to ESTABLISHED)
2 0x00000004 4 Destroyed connection (entry removed from conntrack table)
3 0x00000008 8 Assured connection (fully established, unlikely to be dropped)
4 0x00000010 16 Confirmed connection (packet has been seen in both directions)
5 0x00000020 32 Expectation event (related to NAT helper expectations)
6 0x00000040 64 Helper event (connection helper activity, e.g., FTP, SIP)
7 0x00000080 128 Destroy by GC (garbage collector removed the connection)
8-31 - - (Reserved or unused in most implementations)

So if I want to track new and destroyed connections, the event_mask mus be set to 0x00000001 + 0x00000004 = 0x00000005.

Logging bytes_sent and bytes_received

Check that conntrack has the bytes= field in this output: 

conntrack -L -o extended

Run the following: 

sysctl -w net.netfilter.nf_conntrack_acct=1

for permanent setting across reboot create the file /etc/sysctl.d/99-nf_conntrack_acct.conf with: 

net.netfilter.nf_conntrack_acct=1

/etc/logrotate.d/ulogd2

systemctl enable ulogd2.service
systemctl start ulogd2.service