[arch-general] ulogd fails to start - cannot find key `oob.in'

Mon Oct 21 10:17:45 EDT 2013

At 10/19/2013 09:55 AM, you wrote:
>I did a system update the other day with shorewall and ulogd installed. Now ulogd fails to start:
>
>Sat Oct 19 08:26:01 2013 <5> ulogd.c:375 registering plugin `NFLOG'
>Sat Oct 19 08:26:01 2013 <5> ulogd.c:375 registering plugin `BASE'
>Sat Oct 19 08:26:01 2013 <5> ulogd.c:375 registering plugin `IP2STR'
>Sat Oct 19 08:26:01 2013 <5> ulogd.c:375 registering plugin `PRINTPKT'
>Sat Oct 19 08:26:01 2013 <5> ulogd.c:375 registering plugin `LOGEMU'
>Sat Oct 19 08:26:01 2013 <7> ulogd.c:741 cannot find key `oob.in' in stack
>Sat Oct 19 08:26:01 2013 <8> ulogd.c:1234 not even a single working plugin stack
>
>Looking at ulogd package changes shows:
>
>-plugin="/usr/lib/ulogd/ulogd_inppkt_ULOG.so"
>+plugin="/usr/lib/ulogd/ulogd_inppkt_NFLOG.so"
>
>Comparing the difference between ULOG.so and NFLOG.so indicates that the 'oob.in' key does not exist in NFLOG but does exist in ULOG, for example:
>
># ulogd --info /usr/lib/ulogd/ulogd_inppkt_ULOG.so
>Name: ULOG
>Config options:
>        Var: bufsize (Integer, Default: 150000)
>        Var: nlgroup (Integer, Default: 32)
>        Var: rmem (Integer, Default: 131071)
>        Var: numeric_label (Integer, Default: 0)
>Input keys:
>        Input plugin, No keys
>Output keys:
>        Key: raw.mac (raw data)
>        Key: raw.pkt (raw data)
>        Key: raw.pktlen (unsigned int 32)
>        Key: raw.pktcount (unsigned int 32)
>        Key: oob.prefix (string)
>        Key: oob.time.sec (unsigned int 32)
>        Key: oob.time.usec (unsigned int 32)
>        Key: oob.mark (unsigned int 32)
>        Key: oob.in (string)
>        Key: oob.out (string)
>        Key: oob.hook (unsigned int 8)
>        Key: raw.mac_len (unsigned int 16)
>        Key: oob.family (unsigned int 8)
>        Key: oob.protocol (unsigned int 16)
>        Key: raw.label (unsigned int 8)
>
>
># ulogd --info /usr/lib/ulogd/ulogd_inppkt_NFLOG.so
>Name: NFLOG
>Config options:
>        Var: bufsize (Integer, Default: 150000)
>        Var: group (Integer, Default: 0)
>        Var: unbind (Integer, Default: 1)
>        Var: bind (Integer, Default: 0)
>        Var: seq_local (Integer, Default: 0)
>        Var: seq_global (Integer, Default: 0)
>        Var: numeric_label (Integer, Default: 0)
>        Var: netlink_socket_buffer_size (Integer, Default: 0)
>        Var: netlink_socket_buffer_maxsize (Integer, Default: 0)
>        Var: netlink_qthreshold (Integer, Default: 0)
>        Var: netlink_qtimeout (Integer, Default: 0)
>Input keys:
>        Input plugin, No keys
>Output keys:
>        Key: raw.mac (raw data)
>        Key: raw.pkt (raw data)
>        Key: raw.pktlen (unsigned int 32)
>        Key: raw.pktcount (unsigned int 32)
>        Key: oob.prefix (string)
>        Key: oob.time.sec (unsigned int 32)
>        Key: oob.time.usec (unsigned int 32)
>        Key: oob.mark (unsigned int 32)
>        Key: oob.ifindex_in (unsigned int 32)
>        Key: oob.ifindex_out (unsigned int 32)
>        Key: oob.hook (unsigned int 8)
>        Key: raw.mac_len (unsigned int 16)
>        Key: oob.seq.local (unsigned int 32)
>        Key: oob.seq.global (unsigned int 32)
>        Key: oob.family (unsigned int 8)
>        Key: oob.protocol (unsigned int 16)
>        Key: oob.uid (unsigned int 32)
>        Key: oob.gid (unsigned int 32)
>        Key: raw.label (unsigned int 8)
>        Key: raw.type (unsigned int 16)
>        Key: raw.mac.saddr (raw data)
>        Key: raw.mac.addrlen (unsigned int 16)
>        Key: raw (raw data)
>
>Reverting ulogd.conf file to use ULOG instead of NFLOG, allows ulogd to run, but NFLOG is probably what is in the kernel, hence this change does log anything.
>
>Any suggestions on getting NFLOG to work?
>
>Wayne

I found the problem with ulogd not starting. Reading through the example config:

/usr/share/doc/ulogd/ulogd.conf

I noticed that the /etc/ulogd.conf file from the recent system upgrade is incorrect.
Here is the corrected ulogd.conf, which was missing the IFINDEX plugin in the stack:

[global]
logfile="/var/log/ulogd.log"
loglevel=5
rmem=131071
bufsize=150000

plugin="/usr/lib/ulogd/ulogd_inppkt_NFLOG.so"
plugin="/usr/lib/ulogd/ulogd_raw2packet_BASE.so"
plugin="/usr/lib/ulogd/ulogd_filter_IFINDEX.so"
plugin="/usr/lib/ulogd/ulogd_filter_IP2STR.so"
plugin="/usr/lib/ulogd/ulogd_filter_PRINTPKT.so"
plugin="/usr/lib/ulogd/ulogd_output_LOGEMU.so"

#stack=log1:NFLOG,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU

[log1]
group=1

[emu1]
file=/var/log/ulogd.syslogemu

Wayne S