ulogd2.0的安裝

參考文章：http://www.wzdftpd.net/blog/index.php?post/2008/04/05/19-ulogd2-the-new-userspace-logging-daemon-for-netfilter-iptables-part-2

ulogd2.0.1的下載地址：http://www.netfilter.org/projects/ulogd/downloads.html

安裝ulogd2.0.1之前需要安裝的軟件包如下：

• libnfnetlink that provides basic communication infrastructure via Netlink.
• libmnl that provides basic communication infrastructure via Netlink, this library will supersede libnfnetlink. Still, we require both libraries as we are still in transition to entirely replace libnfnetlink by libmnl.
• libnetfilter_log for stateless packet-based logging via nfnetlink_queue.
• libnetfilter_conntrack for stateful flow-based via nf_conntrack_netlink.
• libnetfilter_acct for flexible traffic accounting via nfnetlink_acct and iptables nfacct match (it requires Linux kernel >= 3.3.x).

This requires a Linux kernel >= 2.6.14, but Linux kernel >= 2.6.18 is strongly recommended. Note that if you need SQL database output suport, you will need the header files of the respective libraries.

建議如上安裝包直接安裝到/usr/local/lib目錄下

如果要把ulogd產生的日誌記錄到mysql數據中，那應先安裝mysql數據庫

安裝mysql數據庫請參考：http://blog.csdn.net/dlutxie/article/details/8243359

http://blog.csdn.net/dlutxie/article/details/8218078

安裝ulogd2.0命令如下：

tar xvf ulogd-2.0.1.tar.gz

cd ulogd-2.0.1

./configure --prefix=/usr/local/ulogd  --with-mysql=/usr/local/mysql #如果要增加調試選項，那可在後面加上CFLAGS=" -g -DDEBUG"

即：./configure --prefix=/usr/local/ulogd --with-mysql=/usr/local/mysql CFLAGS=" -g -DDEBUG"

make

make install

在/etc/ld.so.conf文件中加入：/usr/local/ulogd/sbin 

修改配置文件如下：

配置文件下載地址：http://download.csdn.net/detail/dlutxie/5099951

# logfile for status messages
logfile="/var/log/ulogd/ulogd.log"  

# this is a stack for logging packet to MySQL 注意，這塊只能用log1，用log2不能將數據記錄到數據庫中！！！
stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2bin1:IP2BIN,mac2str1:HWHDR,ipd2str1:IP2STR,printpkt1:PRINTPKT,mysql1:MYSQL
#stack=log2:ULOG,base1:BASE,ip2bin1:IP2BIN,mysql1:MYSQL

# Logging of system packet through NFLOG
[log1]
# netlink multicast group (the same as the iptables --nflog-group param)
# Group O is used by the kernel to log connection tracking invalid message
group=0
#netlink_socket_buffer_size=217088
#netlink_socket_buffer_maxsize=1085440
# set number of packet to queue inside kernel
#netlink_qthreshold=1
# set the delay before flushing packet in the queue inside kernel (in 10ms)
#netlink_qtimeout=100

# packet logging through NFLOG for group 1
[log2]
# netlink multicast group (the same as the iptables --nflog-group param)
group=1 # Group has to be different from the one use in log1
netlink_socket_buffer_size=217088
netlink_socket_buffer_maxsize=1085440
# If your kernel is older than 2.6.29 and if a NFLOG input plugin with
# group 0 is not used by any stack, you need to have at least one NFLOG
# input plugin with bind set to 1. If you don't do that you may not
# receive any message from the kernel.
bind=1

# packet logging through NFLOG for group 2, numeric_label is
# set to 1
[log3]
# netlink multicast group (the same as the iptables --nflog-group param)
group=2 # Group has to be different from the one use in log1/log2
numeric_label=1 # you can label the log info based on the packet verdict
#netlink_socket_buffer_size=217088
#netlink_socket_buffer_maxsize=1085440
#bind=1

[mysql1]
db="ulogd"
host="localhost"
user="root"
table="ulog"   #注意，這塊只能是ulog（新的數據庫表ulog只是一個視圖）,而不是ulog2
pass="root"
procedure="INSERT_PACKET_FULL "
charset="utf8"  #這一個是我修改了ulogd_output_MYSQL.c源文件之後加上的，目的是爲了解決中文亂碼問題

[mysql2]
db="ulogd"
host="localhost"
user="ulogd"
table="ulog2_ct"
pass="ulogd"
procedure="INSERT_CT"
charset="utf8"

建立ulogd日誌的目錄：mkdir -pv  /var/log/ulogd

ulogd_output_MYSQL.c：修後改的源文件下載地址：http://download.csdn.net/detail/dlutxie/5099927

修改後的mysql-ulogd2.sql 文件下載地址：http://download.csdn.net/detail/dlutxie/5099937

建立數據庫表：

1.建數據庫，這裏建數據庫時指定了字符集，要不中文可能亂碼

echo "create database ulogd character set utf8;" | mysql -u root -proot   

2.建數據庫表，這裏自帶的建表所用的默認字符集爲latin1,如果中文亂碼，那請改爲 utf8或gbk
/usr/local/mysql/bin/mysql -u root -proot -D ulogd < ./doc/mysql-ulogd2.sql  

3.添加用戶及權限

echo "grant create, insert, select, delete, update on ulogd.* to ulogd@localhost identified by 'ulogd'" | /usr/local/mysql/bin/mysql -u root -proot

編碼ulogd中可能出現的問題：

ulogd_output_MYSQL.c:47:25: error: mysql/mysql.h: No such file or directory

make[3]: *** [ulogd_output_MYSQL.lo] Error 1

將ulogd-2.0.1/output/mysql/ulogd_output_MYSQL.c文件中的#include<mysql/mysql.h>修改爲：#include</usr/local/mysql/include/mysql.h>，這裏的mysql是安裝在/usr/local/mysql目錄下的

ulogd_output_PCAP.c:32:18: error: pcap.h: No such file or directory

下載個pcap安裝包安裝上就行

Mon Dec  3 21:15:44 2012 <7> ulogd.c:727 cannot find key `label' in stack
Mon Dec  3 21:15:44 2012 <1> ulogd.c:873 destroying stack
Mon Dec  3 21:15:44 2012 <8> ulogd.c:1189 not even a single working plugin stack

這個問題是由於配置文件中mysql那一節的table設爲ulog2造成的，改爲：ulog就行

ulogd2.0各插件的鍵值信息可通過：ulogd  -i  插件名 查看

如： ulogd  -i  ulogd/sbin/ulogd -i /usr/local/ulogd/lib/ulogd/ulogd_inppkt_NFLOG.so 
Name: NFLOG
Config options:
Var: bufsize (Integer, Default: 150000)
Var: group (Integer, Default: 0)
Var: unbind (Integer, Default: 1)
Var: bind (Integer, Default: 0)
Var: seq_local (Integer, Default: 0)
Var: seq_global (Integer, Default: 0)
Var: numeric_label (Integer, Default: 0)  # raw_label
Var: netlink_socket_buffer_size (Integer, Default: 0)
Var: netlink_socket_buffer_maxsize (Integer, Default: 0)
Var: netlink_qthreshold (Integer, Default: 0)
Var: netlink_qtimeout (Integer, Default: 0)
Input keys:
Input plugin, No keys
Output keys:
Key: raw.mac (raw data)       # NFULA_HWHEADER   
Key: raw.pkt (raw data)       # NFLOG_KEY_RAW_PCKT  opaque data payload 
Key: raw.pktlen (unsigned int 32)
Key: raw.pktcount (unsigned int 32)    # 恆爲1
Key: oob.prefix (string)               # NFULA_PREFIX  由 --nflog-prefix 指定
Key: oob.time.sec (unsigned int 32)    # NFULA_TIMESTAMP  seconds 1970-1-1到當前時間的秒數
Key: oob.time.usec (unsigned int 32)   # NFULA_TIMESTAMP  micoseconds
Key: oob.mark (unsigned int 32)        # Generic packet mark   NFULA_MARK
Key: oob.ifindex_in (unsigned int 32)   #橋接輸入口  NFULA_IFINDEX_INDEV
Key: oob.ifindex_out (unsigned int 32)  #橋接輸出口  NFULA_IFINDEX_OUTDEV
Key: oob.hook (unsigned int 8)          # NFULA_PACKET_HDR  NFLOG_KEY_OOB_HOOK
Key: raw.mac_len (unsigned int 16)     # NFULA_HWLEN
Key: oob.seq.local (unsigned int 32)   # instance-local sequence number
Key: oob.seq.global (unsigned int 32)  # global sequence number
Key: oob.family (unsigned int 8)       # 協議簇，對於ipv4而言，是PF_INET  socket.h
Key: oob.protocol (unsigned int 16)    # NFULA_PACKET_HDR  NFLOG_KEY_OOB_PROTOCOL
Key: oob.uid (unsigned int 32)    # UID for VFS ops user id of socket    NFULA_UID
Key: oob.gid (unsigned int 32)    # GID for VFS ops group id of socket    NFULA_GID
Key: raw.label (unsigned int 8)  #這個由配置文件numeric_label設置
Key: raw.type (unsigned int 16)    # 接口硬件類型 1爲以太網，定義在 include/linux/if_arp.h裏
Key: raw.mac.saddr (raw data)
Key: raw.mac.addrlen (unsigned int 16)
Key: raw (raw data)              # NFLOG_KEY_RAW 原始數據  nflog_data *ldata 數組

raw.type 參考如下鏈接：
http://www.iana.org/assignments/arp-parameters/arp-parameters.xml
http://iana.org/protocols

http://www.nirtec.com/hardware/hardware.htm
INTERFACES TYPES

http://blog.csdn.net/lamdoc/article/details/7873120
 sk_buff 定義及其操作

hooknum這個成員用於指定安裝的這個函數對應的具體的hook類型:
        NF_IP_PRE_ROUTING  0  在完整性校驗之後，選路確定之前
        NF_IP_LOCAL_IN     1   在選路確定之後，且數據包的目的是本地主機
        NF_IP_FORWARD      2  目的地是其它主機地數據包
        NF_IP_LOCAL_OUT    3    來自本機進程的數據包在其離開本地主機的過程中
        NF_IP_POST_ROUTING 4   在數據包離開本地主機“上線”之前