# Tutorial: # https://connect.ed-diamond.com/GNU-Linux-Magazine/glmfhs-041/ulogd2-journalisation-avancee-avec-netfilter [global] # logfile for status messages logfile="syslog" # loglevel: debug(1), info(3), notice(5), error(7) or fatal(8) (default 5) loglevel=3 plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_NFLOG.so" plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inpflow_NFCT.so" plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IFINDEX.so" plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2STR.so" plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2BIN.so" plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_PRINTPKT.so" plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_HWHDR.so" plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_PRINTFLOW.so" plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_LOGEMU.so" plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_PGSQL.so" plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_raw2packet_BASE.so" plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_JSON.so" # System packet logging stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU # Packet logging stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:HWHDR,print1:PRINTPKT,json1:JSON # Conntrack logging stack=ct1:NFCT,ip2str1:IP2STR,printflow1:PRINTFLOW,json2:JSON stack=ct1:NFCT,ip2str1:IP2STR,pgsql1:PGSQL [log1] # netlink multicast group (the same as the iptables --nflog-group param) # Group O is used by the kernel to log connection tracking invalid message group=0 [log2] # Group has to be different from the one use in log1 group=1 [ct1] # NEW = 1 # UPDATE = 2 # DESTROY = 4 event_mask=0x0000005 # If hash_enable=1 (the default), the kernel will automatically # match NEW and DESTROY events and only report DESTROY events. hash_enable=0 # reliable=1 # enable reliable flow-based logging (may drop packets) [emu1] file="/var/log/ulog/kernel.log" sync=1 [json1] sync=1 file="/var/log/ulog/ulogd.json" [json2] sync=1 file="/var/log/ulog/ct.json" [pgsql1] db="" host="" user="" pass="" table="ulog2_ct_model" procedure="INSERT_OR_REPLACE_CT" connstring="dbname=ulog user=ulog password=CHANGE_ME"