Operating Systems Security

ulogd2 – Netfilter logging

Syslog used to handle NetFilter logging and you had to write regexp rules to sort your firewall logs, like:

:msg,contains,"[ABF_Blocked" /var/log/abf-blocked.log"

There is a new daemon in town called ulogd2, the webpage says: “ulogd is a userspace logging daemon for netfilter/iptables related logging. This includes per-packet logging of security violations, per-packet logging for accounting, per-flow logging and flexible user-defined accounting.”

Ok, lets go..

Start of by installing the necessary packages
# apt install ulogd2 ulogd2-json

Since the log file tend to grow quite large we create a named pipe, you could also rotate the logs if you want to parse them later but for now we will focus on realtime interception.

# mkfifo /afw/ulog/ulogd.json.pipe
# chown ulog:adm /afw/ulog/ulogd.json.pipe

Configure ulogd

# vim /etc/ulogd.conf

group=1 # Group has to be different from the one use in log1

sync=1 file="/afw/ulog/ulogd.json.pipe" device="AFW"

By Nimpen J. Nordström

System Developer and Network Security Enthusiast

Leave a Reply

Your email address will not be published. Required fields are marked *