iptables with ulogd quick howto

Debian iptables Linux ulog ulogd2

I wanted to enable ulogd for my firewall logging, but after finding several sites with examples, none of them worked for me.
So after gathering snippets of info from various sites, I managed to put a working configuration together, which is what you see here.

This is on Debian 8.9 (Jessie)

Install ulogd (ulogd is a transitional dummy package for ulogd2 in Debian Jessie)

apt-get install ulogd

Once installed, the output of dpkg -l |grep ulogd should look something like this:

ii  ulogd                            2.0.4-2+deb8u1                     amd64        transitional dummy package for ulogd2
ii  ulogd2                           2.0.4-2+deb8u1                     amd64        Netfilter Userspace Logging Daemon

Edit the ulogd config file in /etc/ulogd.conf

vi /etc/ulogd.conf

Enable plugins as follows: (I have shown the full plugin stanza for clarity)

######################################################################
# PLUGIN OPTIONS
######################################################################

# We have to configure and load all the plugins we want to use

# general rules:
# 1. load the plugins _first_ from the global section
# 2. options for each plugin in seperate section below

#plugin="/usr/lib/ulogd/ulogd_LOGEMU.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_NFLOG.so"
#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_ULOG.so"
#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_UNIXSOCK.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inpflow_NFCT.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IFINDEX.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2STR.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2BIN.so"
#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2HBIN.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_PRINTPKT.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_HWHDR.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_PRINTFLOW.so"
#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_MARK.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_LOGEMU.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_SYSLOG.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_XML.so"
#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_SQLITE3.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_GPRINT.so"
#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_NACCT.so"
#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_PCAP.so"
#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_PGSQL.so"
#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_MYSQL.so"
#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_DBI.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_raw2packet_BASE.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inpflow_NFACCT.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_GRAPHITE.so"
#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_JSON.so"
######################################################################

Enable the correct stack: (ensure all other stacks are commented out unless you need them for some other reason).


# this is a stack for logging packet send by system via LOGEMU
stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU

Set the path for your iptables log file under [emu1]

[emu1]
file="/var/log/iptables.log"
# file="/var/log/ulog/syslogemu.log"
sync=1

Set your log groups (1 in this case)
And then change your iptables logging rules;

iptables version:

 -A INPUT -m limit --limit 5/min -j LOG --log-prefix "INPUT dropped: " --log-level 7

nflog version – note that you need to set the group as well.

-A INPUT -m limit --limit 5/min -j NFLOG --nflog-group 1 --nflog-prefix "INPUT dropped: "

To make the above changes in vi:
:g/LOG/s//NFLOG --nflog-group 1/g
:g/--log-prefix/s//--nflog-prefix/g
:g/--log-level 7/s///g

Restart the ulogd deamon:

service ulogd restart

Load your new iptables ruleset.

Check /var/log/iptables.log (or the path / file you set if different) for log entries.

NOTE:
If you monitor /var/log/daemon.log with ‘tail’ during startup of ulogd you may see the following error:

systemd[1]: Failed to read PID from file /run/ulog/ulogd.pid: Invalid argument

This is because there is an error in the /etc/init.d/ulogd2 for the ‘pid’ entry.

PATH=/sbin:/usr/sbin:/bin:/usr/bin
DESC="netfilter userspace log daemon"
NAME=ulogd
DAEMON=/usr/sbin/$NAME
DAEMON_USER=ulog
PIDDIR=/run/ulog
PIDFILE=$PIDDIR/$NAME.pid
DAEMON_ARGS="--daemon --uid $DAEMON_USER --pidfile $PIDFILE"
SCRIPTNAME=/etc/init.d/$NAME

Change PIDDIR=/run/ulog to PIDDIR=/var/run/ulog

After editing this file run systemctl daemon reload to reload the changes you made.

Then restart the ulogd daemon.

You should see the following in /var/log/daemon.log

Dec 19 17:39:24 firewall ulogd[5676]: Terminal signal received, exiting
Dec 19 17:39:24 firewall systemd[1]: Stopping Netfilter Userspace Logging Daemon...
Dec 19 17:39:24 firewall systemd[1]: Starting Netfilter Userspace Logging Daemon...
Dec 19 17:39:24 firewall ulogd[5760]: building new pluginstance stack: 'log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU'
Dec 19 17:39:24 firewall ulogd[5760]: Changing UID / GID
Dec 19 17:39:24 firewall ulogd[5760]: initialization finished, entering main loop
Dec 19 17:39:24 firewall systemd[1]: Started Netfilter Userspace Logging Daemon.

If the restart was successful, then you have configured ulogd!