New Syslog RFCs

Several new RFCs for syslog have been issued in March:

So what are the improvements since the previous RFC (3614), especially in RFC5424 ¹ :

In section 5.1, “Minimum Required Transport Mapping”:

All implementations of this specification MUST support a TLS-based transport as described in RFC5425.
Yay ! So they discovered TLS, that’s great. Especially since RFC 5425 supports certificates authentication (section 4.2.1), certificate path validation, fingerprints, etc. 2. Improved timestamps (Section 6.2.3) with supports for milliseconds, time zones, UTC offsets 3. Section 6.3 describes structured data (name-value pairs) 4. Section 7: Structured Data IDs
This allows using an enterprise ID (registered to the IANA) for the structured data elements

However, nothing really useful on reliability (resending events, making sure they were delivered, etc.) except the very poor (and useless) section 8.5, which only acknowledges the lack of support :/ Well, Prelude IDS can do that pretty good.

Also, nothing on taxonomy, though it may be improved with structured data. However, it would require a good definition of events, formats etc, and given the current state of CEE, which is quite dead (3 mails on the list so far this year), it won’t improve .. There is something to be done here.

Other articles

ulogd2: the new userspace logging daemon for netfilter/iptables (part 3)
Date Thu 04 December 2008 Tags Firewall Logs Netfilter MySQL PostgreSQL Ulogd

Installation

If you’ve followed the previous article, you now have a working ulogd2 installation.We will now explore the way data are stored in the database, and the default SQL schema provided with ulogd2.

SQL schema, basics

The SQL schema ? Not really, only the default one. Ulogd2 uses stored procedures and views to create an abstraction layer between the C code and the real storage of the data (the tables in the SQL database). The basics are the following:

Inserting data using the “INSERT” keyword is fast, but requires the application to know the SQL schema. An update of the SQL part will need an update of the C code, which is not very handy. So instead of using:
```
INSERT INTO tablename (field1,field2,...) VALUES (1,2,...);
```
We will create a stored procedure (in this example, we use PostgreSQL PL/pgSQL syntax):
```
CREATE OR REPLACE FUNCTION INSERT_PACKET_FULL(
               IN value11 integer,
               ...)
RETURNS bigint AS $$
DECLARE
       t_id bigint;
DECLARE
               t_id := INSERT INTO tablename (field1,field2,...) VALUES ($1,$2,...);
               RETURN t_id;
END
$$ LANGUAGE plpgsql SECURITY INVOKER;
```
Inserting data can now be done, using:
```
SELECT INSERT_PACKET_FULL(1,2,3,...);
```
So, we have succeeded into transforming a fast and single (and simple) query into …
read more
ulogd2: the new userspace logging daemon for netfilter/iptables (part 2)
Date Fri 04 April 2008 Tags Firewall Logs Netfilter MySQL PostgreSQL Ulogd

This article explains how to build, install and configure ulogd 2 for use with netfilter/iptables. It explains how to use plugins to store logs in databases (MySQL and PostgreSQL), use plugins to filter data, and gives some iptables rules to log packets.

Get the sources

You can use the official repository:
```
git clone git://git.netfilter.org/ulogd2.git/
```
Prerequisites
- libnfnetlink (>= 0.30) http://www.netfilter.org/projects/libnfnetlink/index.html
- libnetfilter_log
- mysql-dev
- postgresql-dev
Build

Use the standard autotools method for configure, build and install:
```
./autogen.sh
./configure --prefix=/path/to/prefix
make
sudo make install
```
Configuration

Edit ulogd.conf

1. enable plugins

You will have to choose the input and output plugins according to your setup. NFLOG is present in recent kernels (and iptables installation), and should be preferred if possible.
- Input plugin: ULOG or NFLOG
- Output: MySQL or PostgreSQL
You have to enable the corresponding in the configuration before you can use them:
```
plugin="/path/to/prefix/lib/ulogd/ulogd_inppkt_ULOG.so"
plugin="/path/to/prefix/lib/ulogd/ulogd_output_MYSQL.so"
```
See “Stack configuration” later.

2. buid the stack

For MySQL, we will use a very simple plugin stack. As MySQL is quite inefficient in storing IP addresses (and …
read more
ulogd2: the new userspace logging daemon for netfilter/iptables (part 1)
Date Mon 10 March 2008 Tags Firewall Logs Netfilter MySQL PostgreSQL Ulogd

Ulogd (and also ulogd2) is a powerful and flexible logging system for Netfilter/Iptables, based on a plugin system. It allows, for example, to log packets in a SQL database, and have some interface to analyze it (see Nulog2)

Architecture

Ulogd2 combines plugins to create a stack, where each plugin is chained to another. There are three types of plugins:
- Source
- Filter
- Output
A stack must have only one source, and one output (yet it can have several filters). It is possible to define several stacks in the configuration.

Each plugin has a type (for ex, PGSQL), and must be instanciated (using a name chosen by the user). Each instance is a particular version of the plugin, defining parameters. This way, we will be able to output data in several formats using different stacks.

For ex, the following stack :
```
stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,print1:PRINTPKT,pgsql1:PGSQL
```
defines a stack with the following properties:
- input plugin is NFLOG, this means we’ll use the -j NFLOG target of iptables as source
- filters are BASE, IFINDEX, and PRINTPKT (we’ll cover what they do later)
- output plugin is of type PGSQL, so data will be logged to a …
read more

Page 1 / 1

links

Tags

Pollux's corner Logs

Other articles

ulogd2: the new userspace logging daemon for netfilter/iptables (part 3)

Installation

SQL schema, basics

ulogd2: the new userspace logging daemon for netfilter/iptables (part 2)

Get the sources

Prerequisites

Build

Configuration

ulogd2: the new userspace logging daemon for netfilter/iptables (part 1)

Architecture

links

Social

Tags

Pollux's corner Logs

Other articles

Installation

SQL schema, basics

Get the sources

Prerequisites

Build

Configuration

Architecture