php ios行为日志分析,IPtables日志分析利器：iptables + ulogd + nulog

IPtables日志分析利器：iptables + ulogd + nulog 安装指南

笔者说明：Ulogd目前的最新版(截止至2008/08/30)是2.0.0，Nulog的最新版本是2.0.1，但我尝试安装到最新版时均没有安装成功，非常郁闷:( Nulog的最新版要求很多插件，官方也提到，而且是使用Python重新编写的；

目的: 使用 ulogd + nulog (with mysql) 建置 iptables ULOG Web 查詢介面

環境: Red Hat / Fedora series

安裝 ulogd

cd ulogd

autoconf

./configure --with-mysql

make && make install

cp ulogd.init /etc/init.d/ulogd

cp ulogd.logrotate /etc/logrotate.d/ulogd

cp ulogd.8 /usr/local/share/man/man8

vi /etc/init.d/ulogd

daemon /usr/local/sbin/ulogd -d

vi /usr/local/etc/ulogd.conf

#plugin="/usr/local/lib/ulogd/ulogd_LOGEMU.so"

plugin="/usr/local/lib/ulogd/ulogd_MYSQL.so"

[MYSQL]

table="ulog"

pass="ulog"

user="ulog"

db="ulog"

host="localhost"

試運行: ulogd, 若沒有出現任何訊息, 且 /var/log/ulogd.log 也沒有錯誤訊息, 表示一切正常

若發生 undefined symbol: mysql_real_escape_string

vi Rules.make

找到 MYSQL_CFLAGS=... 於該行最後加上 -DOLD_MYSQL

make clean && make

&& make install

若發生 undefined symbol: mysql_init

vi Rules.make

找到 MYSQL_LDFLAGS=$(LDFLAGS)... 於該行最後加上 -umysql_init

make clean && make

&& make install

chkconfig --add ulogd

service ulogd start

安裝 nulog

cd nulog

mysql -u root -p -A mysql

mysql> create database ulog;

mysql> grant all privileges on ulog.* to ulog@localhost identified by

'ulog';

mysql> flush privileges;

mysql> exit

mysql -u root -p -A ulog <

scripts/ulogd.mysqldump

vi Makefile

WEBDIR="var/www/html/nulog"

make install

chmod -x `find /var/www/html/nulog -type f`

cd /var/www/html/nulog

cp config.template.php config.php

vi include/config.php

$lang="en";

$nufw_enabled="no";

$netfilter_log_drop=0;

$machine="YOUR_HOSTNAME";

$db_host="localhost";

$db_ulog="ulog";

$db_user="ulog";

$db_pwd="ulog";

vi index.php

$state=1;

vi host.php

$host=ip2sql($host);

改成

$host=ip2long(...

if ($host<0)

$host=$host+...

//$host=ip2sql($host);

應用實例

1. 本機 tcp 80 port (http) 連線記錄

iptables -A INPUT -p tcp --dport 80 -j ULOG

2. LAN User 上網連線記錄 (本機角色為 NAT)

iptables -A FORWARD -j ULOG

3. 封鎖埠口的連線記錄 (本機角色為 NAT)

iptables -N BAN_SSH

iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 22 -j

BAN_SSH

iptables -A BAN_SSH -j ULOG

iptables -A BAN_SSH -j DROP

參考資料

FC6 中的 iptables + ulogd + nulog

相關網頁

附錄: 狀況與排除

狀況1:

MySQL: v5.0.45 (by source installation,

prefix=/usr/local/mysql)

執行 ulogd 時發生: ulogd_MYSQL.c:409 can't establish database

connection

解決方法:

編輯 Rules.make, 找到 MYSQL_CFLAGS=... 去除 -DOLD_MYSQL, 並重新 make clean

&& make

&& make install (非必要)

編輯 ulogd.conf, 將 [MYSQL] 的 host="localhost" 改成

host="127.0.0.1"

狀況2:

MySQL: v4.1.22 (by rpm installation,

MySQL-*-4.1.22-0.glibc23.rpm)

執行 ulogd 時發生: undefined symbol: mysql_real_escape_string

解決方法:

編輯 Rules.make, 找到 MYSQL_LDFLAGS=$(LDFLAGS)... 於該行最後加上

-umysql_init

執行 make clean && make

&& make install 即可