Shorewall users - Mar 2013 - logging to mysql - advice ?

shorewall is working fine with log set to "info "on all rules.

i''m using ulogd, but it''s not working. here''s the
steps i''ve taken so far:

- apt-get install ulogd # installed successfully as well as ulogd-mysql
- ulogd-mysql.sql (downloaded from their site project) imported into 
ulogd database.
- ulogd dB granted necessary privileges;
- updated etc/ulogd.conf with mysql credentials
- uncommented mysql.so in etc/ulogd.conf
- sed -i ''s/info/NFLOG/g'' /etc/shorewall/*
- shorewall restart;/etc/init.d/ulogd restart

checking mysqladmin proc, shows that ulogd is connected, but it''s at 
sleep state.
i did a couple of selects on ulog table, it''s still empty even though i
generate a fair enough of logs at any given moment.



Any advice ?



------------------------------------------------------------------------------
Own the Future-Intel(R) Level Up Game Demo Contest 2013
Rise to greatness in Intel''s independent game demo contest. Compete 
for recognition, cash, and the chance to get your game on Steam. 
$5K grand prize plus 10 genre and skill prizes. Submit your demo 
by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2

On 3/31/13 10:40 AM, "Roland Roland" <R_O_L_A_N_D@hotmail.com>
wrote:
>shorewall is working fine with log set to "info "on all rules.
>
>i''m using ulogd, but it''s not working. here''s the
steps i''ve taken so far:
>
>- apt-get install ulogd # installed successfully as well as ulogd-mysql
>- ulogd-mysql.sql (downloaded from their site project) imported into
>ulogd database.
>- ulogd dB granted necessary privileges;
>- updated etc/ulogd.conf with mysql credentials
>- uncommented mysql.so in etc/ulogd.conf
>- sed -i ''s/info/NFLOG/g'' /etc/shorewall/*
>- shorewall restart;/etc/init.d/ulogd restart
>
>checking mysqladmin proc, shows that ulogd is connected, but it''s
at
>sleep state.
>i did a couple of selects on ulog table, it''s still empty even
though i
>generate a fair enough of logs at any given moment.
>
>
>
>Any advice ?
You will probably get more help if you post your question on the Netfilter
list.

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Own the Future-Intel(R) Level Up Game Demo Contest 2013
Rise to greatness in Intel''s independent game demo contest. Compete 
for recognition, cash, and the chance to get your game on Steam. 
$5K grand prize plus 10 genre and skill prizes. Submit your demo 
by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2

On 31/03/2013 18:40, Roland Roland wrote:
> shorewall is working fine with log set to "info "on all rules.
>
> i''m using ulogd, but it''s not working.
Are you using ulogd-1.x or 2.x? Do you want to collect IPv6 netfilter 
messages?

Make sure you have Shorewall set to log to the ULOG target (not info, 
etc...) or NFLOG depending on your version of ulogd.

HTH,
Chris

-- 
Chris Boot
bootc@bootc.net


------------------------------------------------------------------------------
Own the Future-Intel(R) Level Up Game Demo Contest 2013
Rise to greatness in Intel''s independent game demo contest. Compete 
for recognition, cash, and the chance to get your game on Steam. 
$5K grand prize plus 10 genre and skill prizes. Submit your demo 
by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2

i''m using ulog 2.x and trying to collect ipv4
setting log to ULOG and restarting the service resulted to 1064 
connection to mysql ulogd DB at one go, and then they all went to sleep 
state.
and nothing happened afterwards..


On 3/31/13 11:55 PM, Chris Boot wrote:
> On 31/03/2013 18:40, Roland Roland wrote:
>> shorewall is working fine with log set to "info "on all
rules.
>>
>> i''m using ulogd, but it''s not working.
> Are you using ulogd-1.x or 2.x? Do you want to collect IPv6 netfilter
> messages?
>
> Make sure you have Shorewall set to log to the ULOG target (not info,
> etc...) or NFLOG depending on your version of ulogd.
>
> HTH,
> Chris
>

------------------------------------------------------------------------------
Own the Future-Intel® Level Up Game Demo Contest 2013
Rise to greatness in Intel''s independent game demo contest.
Compete for recognition, cash, and the chance to get your game 
on Steam. $5K grand prize plus 10 genre and skill prizes. 
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d

On 3/31/13 7:42 PM, "Roland Roland" <R_O_L_A_N_D@hotmail.com>
wrote:
>i''m using ulog 2.x and trying to collect ipv4
>setting log to ULOG and restarting the service resulted to 1064
>connection to mysql ulogd DB at one go, and then they all went to sleep
>state.
>and nothing happened afterwards..
Were there ULOG rules with non-zero packet count?

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Own the Future-Intel&reg; Level Up Game Demo Contest 2013
Rise to greatness in Intel''s independent game demo contest.
Compete for recognition, cash, and the chance to get your game 
on Steam. $5K grand prize plus 10 genre and skill prizes. 
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d

On 4/1/13 5:49 AM, Tom Eastep wrote:
> Were there ULOG rules with non-zero packet count?
No, None whatsoever.

------------------------------------------------------------------------------
Own the Future-Intel® Level Up Game Demo Contest 2013
Rise to greatness in Intel''s independent game demo contest.
Compete for recognition, cash, and the chance to get your game 
on Steam. $5K grand prize plus 10 genre and skill prizes. 
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d

On 3/31/13 8:03 PM, "Roland Roland" <R_O_L_A_N_D@hotmail.com>
wrote:
>On 4/1/13 5:49 AM, Tom Eastep wrote:
>> Were there ULOG rules with non-zero packet count?
>No, None whatsoever.
Then there will be nothing logged. Try generating some traffic that will
trigger one of those rules.

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Own the Future-Intel&reg; Level Up Game Demo Contest 2013
Rise to greatness in Intel''s independent game demo contest.
Compete for recognition, cash, and the chance to get your game 
on Steam. $5K grand prize plus 10 genre and skill prizes. 
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d

On 4/1/13 6:35 AM, Tom Eastep wrote:
> hen there will be nothing logged. Try generating some traffic that will
> trigger one of those rules.
that''s the thing, i have 5 users connected to that lab environment 
generating good amount of traffic.
that''s exactly my problem, that even though there are traffic
generated,
it''s not being inserted into mysql

------------------------------------------------------------------------------
Own the Future-Intel® Level Up Game Demo Contest 2013
Rise to greatness in Intel''s independent game demo contest.
Compete for recognition, cash, and the chance to get your game 
on Steam. $5K grand prize plus 10 genre and skill prizes. 
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d

Hi,

Do you have a stack set up in ulogd to consume ULOG messages and put 
them into MySQL? Something like the following, maybe:

stack=ulog1:ULOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:HWHDR,mysql1:MYSQL

Disclaimer: I don''t use ulogd with MySQL, so the above is something 
mostly made up from the examples in the ulogd.conf.

Note that by default, ulogd2 uses NFLOG in its examples, and ULOG must 
be manually configured.

Chris

On 01/04/2013 03:42, Roland Roland wrote:
> i''m using ulog 2.x and trying to collect ipv4
> setting log to ULOG and restarting the service resulted to 1064 
> connection to mysql ulogd DB at one go, and then they all went to 
> sleep state.
> and nothing happened afterwards..
>
>
> On 3/31/13 11:55 PM, Chris Boot wrote:
>> On 31/03/2013 18:40, Roland Roland wrote:
>>> shorewall is working fine with log set to "info "on all
rules.
>>>
>>> i''m using ulogd, but it''s not working.
>> Are you using ulogd-1.x or 2.x? Do you want to collect IPv6 netfilter
>> messages?
>>
>> Make sure you have Shorewall set to log to the ULOG target (not info,
>> etc...) or NFLOG depending on your version of ulogd.
>>
>> HTH,
>> Chris
>>
>
>

-- 
Chris Boot
bootc@bootc.net


------------------------------------------------------------------------------
Own the Future-Intel® Level Up Game Demo Contest 2013
Rise to greatness in Intel''s independent game demo contest.
Compete for recognition, cash, and the chance to get your game 
on Steam. $5K grand prize plus 10 genre and skill prizes. 
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d

On 4/1/13 11:39 AM, Chris Boot wrote:
> Do you have a stack set up in ulogd to consume ULOG messages and put
> them into MySQL? Something like the following, maybe:
>
>
stack=ulog1:ULOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:HWHDR,mysql1:MYSQL
You''re absolutely right! that''s what i was missing and now
it''s working.

Thank you.

------------------------------------------------------------------------------
Own the Future-Intel® Level Up Game Demo Contest 2013
Rise to greatness in Intel''s independent game demo contest.
Compete for recognition, cash, and the chance to get your game 
on Steam. $5K grand prize plus 10 genre and skill prizes. 
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d

>> hen there will be nothing logged. Try generating some traffic that will
>> trigger one of those rules.
>>     
> that''s the thing, i have 5 users connected to that lab environment
> generating good amount of traffic.
> that''s exactly my problem, that even though there are traffic
generated,
> it''s not being inserted into mysql
>   
I might be wrong here, but if you are using ulogd 2.x, then the correct 
target to deploy is NFLOG, not ULOG. To test whether you get any logs 
into your database conduct this (fairly) simple test:

iptables -I INPUT 1 -j NFLOG --nflog-group X --nflog-range Y 
--nflog-threshold Z --nflog-prefix "TEST:TEST"
iptables -I OUTPUT 1 -j NFLOG --nflog-group X --nflog-range Y 
--nflog-threshold Z --nflog-prefix "TEST:TEST"
iptables -I FORWARD 1 -j NFLOG --nflog-group X --nflog-range Y 
--nflog-threshold Z --nflog-prefix "TEST:TEST"

where ''X'' is the group number assigned to your ulogd stack (in
other
words, ''group=X'' from ulogd.conf), ''Y'' is
the ulogd range (usually 0)
and ''Z'' is the ulogd threshold (usually 1).

Then generate some traffic and see whether you get any matches with 
''iptables -L -vn''. If so, then check your mysql database to
see whether
packets have been logged - if that is indeed the case, delete the above 
3 rules (''iptables -D INPUT 1'' and so on). If not, post your
ulogd.conf
here, though as Tom already suggested, you are better off seeking help 
on the netfilter mailing list.


------------------------------------------------------------------------------
Own the Future-Intel® Level Up Game Demo Contest 2013
Rise to greatness in Intel''s independent game demo contest.
Compete for recognition, cash, and the chance to get your game 
on Steam. $5K grand prize plus 10 genre and skill prizes. 
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d