ulogd2.0的安装

参考文章：http://www.wzdftpd.net/blog/index.php?post/2008/04/05/19-ulogd2-the-new-userspace-logging-daemon-for-netfilter-iptables-part-2

ulogd2.0.1的下载地址：http://www.netfilter.org/projects/ulogd/downloads.html

安装ulogd2.0.1之前需要安装的软件包如下：

• libnfnetlink that provides basic communication infrastructure via Netlink.
• libmnl that provides basic communication infrastructure via Netlink, this library will supersede libnfnetlink. Still, we require both libraries as we are still in transition to entirely replace libnfnetlink by libmnl.
• libnetfilter_log for stateless packet-based logging via nfnetlink_queue.
• libnetfilter_conntrack for stateful flow-based via nf_conntrack_netlink.
• libnetfilter_acct for flexible traffic accounting via nfnetlink_acct and iptables nfacct match (it requires Linux kernel >= 3.3.x).

This requires a Linux kernel >= 2.6.14, but Linux kernel >= 2.6.18 is strongly recommended. Note that if you need SQL database output suport, you will need the header files of the respective libraries.

建议如上安装包直接安装到/usr/local/lib目录下

如果要把ulogd产生的日志记录到mysql数据中，那应先安装mysql数据库

安装mysql数据库请参考：http://blog.csdn.net/dlutxie/article/details/8243359

http://blog.csdn.net/dlutxie/article/details/8218078

安装ulogd2.0命令如下：

tar xvf ulogd-2.0.1.tar.gz

cd ulogd-2.0.1

./configure --prefix=/usr/local/ulogd  --with-mysql=/usr/local/mysql #如果要增加调试选项，那可在后面加上CFLAGS=" -g -DDEBUG"

即：./configure --prefix=/usr/local/ulogd --with-mysql=/usr/local/mysql CFLAGS=" -g -DDEBUG"

make

make install

在/etc/ld.so.conf文件中加入：/usr/local/ulogd/sbin 

修改配置文件如下：

配置文件下载地址：http://download.csdn.net/detail/dlutxie/5099951

# logfile for status messages
logfile="/var/log/ulogd/ulogd.log"  

# this is a stack for logging packet to MySQL 注意，这块只能用log1，用log2不能将数据记录到数据库中！！！
stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2bin1:IP2BIN,mac2str1:HWHDR,ipd2str1:IP2STR,printpkt1:PRINTPKT,mysql1:MYSQL
#stack=log2:ULOG,base1:BASE,ip2bin1:IP2BIN,mysql1:MYSQL

# Logging of system packet through NFLOG
[log1]
# netlink multicast group (the same as the iptables --nflog-group param)
# Group O is used by the kernel to log connection tracking invalid message
group=0
#netlink_socket_buffer_size=217088
#netlink_socket_buffer_maxsize=1085440
# set number of packet to queue inside kernel
#netlink_qthreshold=1
# set the delay before flushing packet in the queue inside kernel (in 10ms)
#netlink_qtimeout=100

# packet logging through NFLOG for group 1
[log2]
# netlink multicast group (the same as the iptables --nflog-group param)
group=1 # Group has to be different from the one use in log1
netlink_socket_buffer_size=217088
netlink_socket_buffer_maxsize=1085440
# If your kernel is older than 2.6.29 and if a NFLOG input plugin with
# group 0 is not used by any stack, you need to have at least one NFLOG
# input plugin with bind set to 1. If you don't do that you may not
# receive any message from the kernel.
bind=1

# packet logging through NFLOG for group 2, numeric_label is
# set to 1
[log3]
# netlink multicast group (the same as the iptables --nflog-group param)
group=2 # Group has to be different from the one use in log1/log2
numeric_label=1 # you can label the log info based on the packet verdict
#netlink_socket_buffer_size=217088
#netlink_socket_buffer_maxsize=1085440
#bind=1

[mysql1]
db="ulogd"
host="localhost"
user="root"
table="ulog"   #注意，这块只能是ulog（新的数据库表ulog只是一个视图）,而不是ulog2
pass="root"
procedure="INSERT_PACKET_FULL "
charset="utf8"  #这一个是我修改了ulogd_output_MYSQL.c源文件之后加上的，目的是为了解决中文乱码问题

[mysql2]
db="ulogd"
host="localhost"
user="ulogd"
table="ulog2_ct"
pass="ulogd"
procedure="INSERT_CT"
charset="utf8"

建立ulogd日志的目录：mkdir -pv  /var/log/ulogd

ulogd_output_MYSQL.c：修后改的源文件下载地址：http://download.csdn.net/detail/dlutxie/5099927

修改后的mysql-ulogd2.sql 文件下载地址：http://download.csdn.net/detail/dlutxie/5099937

建立数据库表：

1.建数据库，这里建数据库时指定了字符集，要不中文可能乱码

echo "create database ulogd character set utf8;" | mysql -u root -proot   

2.建数据库表，这里自带的建表所用的默认字符集为latin1,如果中文乱码，那请改为 utf8或gbk
/usr/local/mysql/bin/mysql -u root -proot -D ulogd < ./doc/mysql-ulogd2.sql  

3.添加用户及权限

echo "grant create, insert, select, delete, update on ulogd.* to ulogd@localhost identified by 'ulogd'" | /usr/local/mysql/bin/mysql -u root -proot

编码ulogd中可能出现的问题：

ulogd_output_MYSQL.c:47:25: error: mysql/mysql.h: No such file or directory

make[3]: *** [ulogd_output_MYSQL.lo] Error 1

将ulogd-2.0.1/output/mysql/ulogd_output_MYSQL.c文件中的#include<mysql/mysql.h>修改为：#include</usr/local/mysql/include/mysql.h>，这里的mysql是安装在/usr/local/mysql目录下的

ulogd_output_PCAP.c:32:18: error: pcap.h: No such file or directory

下载个pcap安装包安装上就行

Mon Dec  3 21:15:44 2012 <7> ulogd.c:727 cannot find key `label' in stack
Mon Dec  3 21:15:44 2012 <1> ulogd.c:873 destroying stack
Mon Dec  3 21:15:44 2012 <8> ulogd.c:1189 not even a single working plugin stack

这个问题是由于配置文件中mysql那一节的table设为ulog2造成的，改为：ulog就行

ulogd2.0各插件的键值信息可通过：ulogd  -i  插件名 查看

如： ulogd  -i  ulogd/sbin/ulogd -i /usr/local/ulogd/lib/ulogd/ulogd_inppkt_NFLOG.so 
Name: NFLOG
Config options:
Var: bufsize (Integer, Default: 150000)
Var: group (Integer, Default: 0)
Var: unbind (Integer, Default: 1)
Var: bind (Integer, Default: 0)
Var: seq_local (Integer, Default: 0)
Var: seq_global (Integer, Default: 0)
Var: numeric_label (Integer, Default: 0)  # raw_label
Var: netlink_socket_buffer_size (Integer, Default: 0)
Var: netlink_socket_buffer_maxsize (Integer, Default: 0)
Var: netlink_qthreshold (Integer, Default: 0)
Var: netlink_qtimeout (Integer, Default: 0)
Input keys:
Input plugin, No keys
Output keys:
Key: raw.mac (raw data)       # NFULA_HWHEADER   
Key: raw.pkt (raw data)       # NFLOG_KEY_RAW_PCKT  opaque data payload 
Key: raw.pktlen (unsigned int 32)
Key: raw.pktcount (unsigned int 32)    # 恒为1
Key: oob.prefix (string)               # NFULA_PREFIX  由 --nflog-prefix 指定
Key: oob.time.sec (unsigned int 32)    # NFULA_TIMESTAMP  seconds 1970-1-1到当前时间的秒数
Key: oob.time.usec (unsigned int 32)   # NFULA_TIMESTAMP  micoseconds
Key: oob.mark (unsigned int 32)        # Generic packet mark   NFULA_MARK
Key: oob.ifindex_in (unsigned int 32)   #桥接输入口  NFULA_IFINDEX_INDEV
Key: oob.ifindex_out (unsigned int 32)  #桥接输出口  NFULA_IFINDEX_OUTDEV
Key: oob.hook (unsigned int 8)          # NFULA_PACKET_HDR  NFLOG_KEY_OOB_HOOK
Key: raw.mac_len (unsigned int 16)     # NFULA_HWLEN
Key: oob.seq.local (unsigned int 32)   # instance-local sequence number
Key: oob.seq.global (unsigned int 32)  # global sequence number
Key: oob.family (unsigned int 8)       # 协议簇，对于ipv4而言，是PF_INET  socket.h
Key: oob.protocol (unsigned int 16)    # NFULA_PACKET_HDR  NFLOG_KEY_OOB_PROTOCOL
Key: oob.uid (unsigned int 32)    # UID for VFS ops user id of socket    NFULA_UID
Key: oob.gid (unsigned int 32)    # GID for VFS ops group id of socket    NFULA_GID
Key: raw.label (unsigned int 8)  #这个由配置文件numeric_label设置
Key: raw.type (unsigned int 16)    # 接口硬件类型 1为以太网，定义在 include/linux/if_arp.h里
Key: raw.mac.saddr (raw data)
Key: raw.mac.addrlen (unsigned int 16)
Key: raw (raw data)              # NFLOG_KEY_RAW 原始数据  nflog_data *ldata 数组

raw.type 参考如下链接：
http://www.iana.org/assignments/arp-parameters/arp-parameters.xml
http://iana.org/protocols

http://www.nirtec.com/hardware/hardware.htm
INTERFACES TYPES

http://blog.csdn.net/lamdoc/article/details/7873120
 sk_buff 定义及其操作

hooknum这个成员用于指定安装的这个函数对应的具体的hook类型:
        NF_IP_PRE_ROUTING  0  在完整性校验之后，选路确定之前
        NF_IP_LOCAL_IN     1   在选路确定之后，且数据包的目的是本地主机
        NF_IP_FORWARD      2  目的地是其它主机地数据包
        NF_IP_LOCAL_OUT    3    来自本机进程的数据包在其离开本地主机的过程中
        NF_IP_POST_ROUTING 4   在数据包离开本地主机“上线”之前