At 10/19/2013 09:55 AM, you wrote:
I did a system update the other day with shorewall and ulogd installed. Now ulogd fails to start:
Sat Oct 19 08:26:01 2013 <5> ulogd.c:375 registering plugin `NFLOG' Sat Oct 19 08:26:01 2013 <5> ulogd.c:375 registering plugin `BASE' Sat Oct 19 08:26:01 2013 <5> ulogd.c:375 registering plugin `IP2STR' Sat Oct 19 08:26:01 2013 <5> ulogd.c:375 registering plugin `PRINTPKT' Sat Oct 19 08:26:01 2013 <5> ulogd.c:375 registering plugin `LOGEMU' Sat Oct 19 08:26:01 2013 <7> ulogd.c:741 cannot find key `oob.in' in stack Sat Oct 19 08:26:01 2013 <8> ulogd.c:1234 not even a single working plugin stack
Looking at ulogd package changes shows:
-plugin="/usr/lib/ulogd/ulogd_inppkt_ULOG.so" +plugin="/usr/lib/ulogd/ulogd_inppkt_NFLOG.so"
Comparing the difference between ULOG.so and NFLOG.so indicates that the 'oob.in' key does not exist in NFLOG but does exist in ULOG, for example:
# ulogd --info /usr/lib/ulogd/ulogd_inppkt_ULOG.so Name: ULOG Config options: Var: bufsize (Integer, Default: 150000) Var: nlgroup (Integer, Default: 32) Var: rmem (Integer, Default: 131071) Var: numeric_label (Integer, Default: 0) Input keys: Input plugin, No keys Output keys: Key: raw.mac (raw data) Key: raw.pkt (raw data) Key: raw.pktlen (unsigned int 32) Key: raw.pktcount (unsigned int 32) Key: oob.prefix (string) Key: oob.time.sec (unsigned int 32) Key: oob.time.usec (unsigned int 32) Key: oob.mark (unsigned int 32) Key: oob.in (string) Key: oob.out (string) Key: oob.hook (unsigned int 8) Key: raw.mac_len (unsigned int 16) Key: oob.family (unsigned int 8) Key: oob.protocol (unsigned int 16) Key: raw.label (unsigned int 8)
# ulogd --info /usr/lib/ulogd/ulogd_inppkt_NFLOG.so Name: NFLOG Config options: Var: bufsize (Integer, Default: 150000) Var: group (Integer, Default: 0) Var: unbind (Integer, Default: 1) Var: bind (Integer, Default: 0) Var: seq_local (Integer, Default: 0) Var: seq_global (Integer, Default: 0) Var: numeric_label (Integer, Default: 0) Var: netlink_socket_buffer_size (Integer, Default: 0) Var: netlink_socket_buffer_maxsize (Integer, Default: 0) Var: netlink_qthreshold (Integer, Default: 0) Var: netlink_qtimeout (Integer, Default: 0) Input keys: Input plugin, No keys Output keys: Key: raw.mac (raw data) Key: raw.pkt (raw data) Key: raw.pktlen (unsigned int 32) Key: raw.pktcount (unsigned int 32) Key: oob.prefix (string) Key: oob.time.sec (unsigned int 32) Key: oob.time.usec (unsigned int 32) Key: oob.mark (unsigned int 32) Key: oob.ifindex_in (unsigned int 32) Key: oob.ifindex_out (unsigned int 32) Key: oob.hook (unsigned int 8) Key: raw.mac_len (unsigned int 16) Key: oob.seq.local (unsigned int 32) Key: oob.seq.global (unsigned int 32) Key: oob.family (unsigned int 8) Key: oob.protocol (unsigned int 16) Key: oob.uid (unsigned int 32) Key: oob.gid (unsigned int 32) Key: raw.label (unsigned int 8) Key: raw.type (unsigned int 16) Key: raw.mac.saddr (raw data) Key: raw.mac.addrlen (unsigned int 16) Key: raw (raw data)
Reverting ulogd.conf file to use ULOG instead of NFLOG, allows ulogd to run, but NFLOG is probably what is in the kernel, hence this change does log anything.
Any suggestions on getting NFLOG to work?
Wayne
I found the problem with ulogd not starting. Reading through the example config: /usr/share/doc/ulogd/ulogd.conf I noticed that the /etc/ulogd.conf file from the recent system upgrade is incorrect. Here is the corrected ulogd.conf, which was missing the IFINDEX plugin in the stack: [global] logfile="/var/log/ulogd.log" loglevel=5 rmem=131071 bufsize=150000 plugin="/usr/lib/ulogd/ulogd_inppkt_NFLOG.so" plugin="/usr/lib/ulogd/ulogd_raw2packet_BASE.so" plugin="/usr/lib/ulogd/ulogd_filter_IFINDEX.so" plugin="/usr/lib/ulogd/ulogd_filter_IP2STR.so" plugin="/usr/lib/ulogd/ulogd_filter_PRINTPKT.so" plugin="/usr/lib/ulogd/ulogd_output_LOGEMU.so" #stack=log1:NFLOG,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU [log1] group=1 [emu1] file=/var/log/ulogd.syslogemu Wayne S