This is an old revision of the document!
Table of Contents
Monitoraggio con ulogd2
apt install ulogd2
/etc/ulogd.conf
In the configuration file /etc/ulogd.conf we configure one plugin stack adding this line:
# Custom stack for logging connections metadata. stack=ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,emu1:LOGEMU
This stack definition in the ulog2 configuration file defines a pipeline of processing modules that handle network flow data. Each module in the stack performs a specific transformation or logging function. Every stack definition requires:
- One input plugin
- None, one or multiple filter plugins
- One output plugin
Each plugin module in the stack is referenced with an instance_name:module_type, where the instance_name is an arbitrary string used to identify that specific instance of the module_type. The instance_name is used also to configure the instance in the same configuration file.
Here's a breakdown of the components in the stack defined above:
- ct1:NFCT
NFCTstands for Netfilter Connection Tracking.- This input plogin module extracts connection tracking (conntrack) information from packets, such as session state, source/destination IPs, and ports.
- ip2str1:IP2STR
IP2STRconverts IP addresses into human-readable string representations.- This ensures that logs display IP addresses in standard notation instead of numerical or binary formats.
- print1:PRINTFLOW
PRINTFLOWformats and prints the logged packet or flow information.- This is useful for debugging or human-readable log output.
- emu1:LOGEMU
LOGEMUrefers to a custom logging output (generally referred as a logging emulator).- This is the output plugin module which is responsible for sending logs to a file, database, or another destination.
Configuring the NFCT Netfilter Connection Tracking
The instance_name ct1 is used in the same configuration file to configure the NFCT module (which interfaces with the nfnetlink_conntrack kernel subsystem).
[ct1] event_mask=0x00000001 hash_enable=0
In this case the module will consider only new connections packets because the bitmask 0x00000001 matches new connections only. The option hash_enable=0 means that no memory will be used to track connections, this will in the other and, slow down the processing of packets.
The IP2STR and PRINTFLOW modules
These two modules are used at their defaults, no custom configuration is used for their instances.
The LOGEMU module
The LOGEMU modules is configured as follow in the same configuration file:
[emu1] file="/var/log/ulog/syslogemu.log" sync=1
This means that the log is written in the specified file, every log entry is flushed immediately to the disk due the sync=1 option.
Bitmask Breakdown of event_mask in NFCT
| Bit Position | Hex Value | Decimal Value | Event Description |
|---|---|---|---|
| 0 | 0x00000001 | 1 | New connection (conntrack entry created) |
| 1 | 0x00000002 | 2 | Connection update (state changes, e.g., from SYN_SENT to ESTABLISHED) |
| 2 | 0x00000004 | 4 | Destroyed connection (entry removed from conntrack table) |
| 3 | 0x00000008 | 8 | Assured connection (fully established, unlikely to be dropped) |
| 4 | 0x00000010 | 16 | Confirmed connection (packet has been seen in both directions) |
| 5 | 0x00000020 | 32 | Expectation event (related to NAT helper expectations) |
| 6 | 0x00000040 | 64 | Helper event (connection helper activity, e.g., FTP, SIP) |
| 7 | 0x00000080 | 128 | Destroy by GC (garbage collector removed the connection) |
| 8-31 | - | - | (Reserved or unused in most implementations) |
So if I want to track new and destroyed connections, the event_mask mus be set to 0x00000001 + 0x00000004 = 0x00000005.
/etc/logrotate.d/ulogd2
systemctl enable ulogd2.service systemctl start ulogd2.service