[arch-general] ulogd fails to start - cannot find key `oob.in'

Wayne S linux at zuik.net
Mon Oct 21 13:26:04 EDT 2013 

update, see below to fix ulogd with NFLOG

At 10/21/2013 10:17 AM, you wrote:
>At 10/19/2013 09:55 AM, you wrote:
>>I did a system update the other day with shorewall and ulogd installed. Now ulogd fails to start:
>>
>>Sat Oct 19 08:26:01 2013 <5> ulogd.c:375 registering plugin `NFLOG'
>>Sat Oct 19 08:26:01 2013 <5> ulogd.c:375 registering plugin `BASE'
>>Sat Oct 19 08:26:01 2013 <5> ulogd.c:375 registering plugin `IP2STR'
>>Sat Oct 19 08:26:01 2013 <5> ulogd.c:375 registering plugin `PRINTPKT'
>>Sat Oct 19 08:26:01 2013 <5> ulogd.c:375 registering plugin `LOGEMU'
>>Sat Oct 19 08:26:01 2013 <7> ulogd.c:741 cannot find key `oob.in' in stack
>>Sat Oct 19 08:26:01 2013 <8> ulogd.c:1234 not even a single working plugin stack
>>
>>Looking at ulogd package changes shows:
>>
>>-plugin="/usr/lib/ulogd/ulogd_inppkt_ULOG.so"
>>+plugin="/usr/lib/ulogd/ulogd_inppkt_NFLOG.so"
>>
>>Comparing the difference between ULOG.so and NFLOG.so indicates that the 'oob.in' key does not exist in NFLOG but does exist in ULOG, for example:
>>
>># ulogd --info /usr/lib/ulogd/ulogd_inppkt_ULOG.so
>>Name: ULOG
>>Config options:
>>        Var: bufsize (Integer, Default: 150000)
>>        Var: nlgroup (Integer, Default: 32)
>>        Var: rmem (Integer, Default: 131071)
>>        Var: numeric_label (Integer, Default: 0)
>>Input keys:
>>        Input plugin, No keys
>>Output keys:
>>        Key: raw.mac (raw data)
>>        Key: raw.pkt (raw data)
>>        Key: raw.pktlen (unsigned int 32)
>>        Key: raw.pktcount (unsigned int 32)
>>        Key: oob.prefix (string)
>>        Key: oob.time.sec (unsigned int 32)
>>        Key: oob.time.usec (unsigned int 32)
>>        Key: oob.mark (unsigned int 32)
>>        Key: oob.in (string)
>>        Key: oob.out (string)
>>        Key: oob.hook (unsigned int 8)
>>        Key: raw.mac_len (unsigned int 16)
>>        Key: oob.family (unsigned int 8)
>>        Key: oob.protocol (unsigned int 16)
>>        Key: raw.label (unsigned int 8)
>>
>>
>># ulogd --info /usr/lib/ulogd/ulogd_inppkt_NFLOG.so
>>Name: NFLOG
>>Config options:
>>        Var: bufsize (Integer, Default: 150000)
>>        Var: group (Integer, Default: 0)
>>        Var: unbind (Integer, Default: 1)
>>        Var: bind (Integer, Default: 0)
>>        Var: seq_local (Integer, Default: 0)
>>        Var: seq_global (Integer, Default: 0)
>>        Var: numeric_label (Integer, Default: 0)
>>        Var: netlink_socket_buffer_size (Integer, Default: 0)
>>        Var: netlink_socket_buffer_maxsize (Integer, Default: 0)
>>        Var: netlink_qthreshold (Integer, Default: 0)
>>        Var: netlink_qtimeout (Integer, Default: 0)
>>Input keys:
>>        Input plugin, No keys
>>Output keys:
>>        Key: raw.mac (raw data)
>>        Key: raw.pkt (raw data)
>>        Key: raw.pktlen (unsigned int 32)
>>        Key: raw.pktcount (unsigned int 32)
>>        Key: oob.prefix (string)
>>        Key: oob.time.sec (unsigned int 32)
>>        Key: oob.time.usec (unsigned int 32)
>>        Key: oob.mark (unsigned int 32)
>>        Key: oob.ifindex_in (unsigned int 32)
>>        Key: oob.ifindex_out (unsigned int 32)
>>        Key: oob.hook (unsigned int 8)
>>        Key: raw.mac_len (unsigned int 16)
>>        Key: oob.seq.local (unsigned int 32)
>>        Key: oob.seq.global (unsigned int 32)
>>        Key: oob.family (unsigned int 8)
>>        Key: oob.protocol (unsigned int 16)
>>        Key: oob.uid (unsigned int 32)
>>        Key: oob.gid (unsigned int 32)
>>        Key: raw.label (unsigned int 8)
>>        Key: raw.type (unsigned int 16)
>>        Key: raw.mac.saddr (raw data)
>>        Key: raw.mac.addrlen (unsigned int 16)
>>        Key: raw (raw data)
>>
>>Reverting ulogd.conf file to use ULOG instead of NFLOG, allows ulogd to run, but NFLOG is probably what is in the kernel, hence this change does log anything.
>>
>>Any suggestions on getting NFLOG to work?
>>
>>Wayne
>
>I found the problem with ulogd not starting. Reading through the example config:
>
>/usr/share/doc/ulogd/ulogd.conf
>
>I noticed that the /etc/ulogd.conf file from the recent system upgrade is incorrect.
>Here is the corrected ulogd.conf, which was missing the IFINDEX plugin in the stack:
>
>[global]
>logfile="/var/log/ulogd.log"
>loglevel=5
>rmem=131071
>bufsize=150000
>
>plugin="/usr/lib/ulogd/ulogd_inppkt_NFLOG.so"
>plugin="/usr/lib/ulogd/ulogd_raw2packet_BASE.so"
>plugin="/usr/lib/ulogd/ulogd_filter_IFINDEX.so"
>plugin="/usr/lib/ulogd/ulogd_filter_IP2STR.so"
>plugin="/usr/lib/ulogd/ulogd_filter_PRINTPKT.so"
>plugin="/usr/lib/ulogd/ulogd_output_LOGEMU.so"
>
>#stack=log1:NFLOG,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
>stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
>
>[log1]
>group=1
>
>[emu1]
>file=/var/log/ulogd.syslogemu
>
>Wayne S

Update - change group to 0
[log1]
group=0

Wayne S

More information about the arch-general mailing list