At 10/19/2013 09:55 AM, you wrote: >I did a system update the other day with shorewall and ulogd installed. Now ulogd fails to start: > >Sat Oct 19 08:26:01 2013 <5> ulogd.c:375 registering plugin `NFLOG' >Sat Oct 19 08:26:01 2013 <5> ulogd.c:375 registering plugin `BASE' >Sat Oct 19 08:26:01 2013 <5> ulogd.c:375 registering plugin `IP2STR' >Sat Oct 19 08:26:01 2013 <5> ulogd.c:375 registering plugin `PRINTPKT' >Sat Oct 19 08:26:01 2013 <5> ulogd.c:375 registering plugin `LOGEMU' >Sat Oct 19 08:26:01 2013 <7> ulogd.c:741 cannot find key `oob.in' in stack >Sat Oct 19 08:26:01 2013 <8> ulogd.c:1234 not even a single working plugin stack > >Looking at ulogd package changes shows: > >-plugin="/usr/lib/ulogd/ulogd_inppkt_ULOG.so" >+plugin="/usr/lib/ulogd/ulogd_inppkt_NFLOG.so" > >Comparing the difference between ULOG.so and NFLOG.so indicates that the 'oob.in' key does not exist in NFLOG but does exist in ULOG, for example: > ># ulogd --info /usr/lib/ulogd/ulogd_inppkt_ULOG.so >Name: ULOG >Config options: > Var: bufsize (Integer, Default: 150000) > Var: nlgroup (Integer, Default: 32) > Var: rmem (Integer, Default: 131071) > Var: numeric_label (Integer, Default: 0) >Input keys: > Input plugin, No keys >Output keys: > Key: raw.mac (raw data) > Key: raw.pkt (raw data) > Key: raw.pktlen (unsigned int 32) > Key: raw.pktcount (unsigned int 32) > Key: oob.prefix (string) > Key: oob.time.sec (unsigned int 32) > Key: oob.time.usec (unsigned int 32) > Key: oob.mark (unsigned int 32) > Key: oob.in (string) > Key: oob.out (string) > Key: oob.hook (unsigned int 8) > Key: raw.mac_len (unsigned int 16) > Key: oob.family (unsigned int 8) > Key: oob.protocol (unsigned int 16) > Key: raw.label (unsigned int 8) > > ># ulogd --info /usr/lib/ulogd/ulogd_inppkt_NFLOG.so >Name: NFLOG >Config options: > Var: bufsize (Integer, Default: 150000) > Var: group (Integer, Default: 0) > Var: unbind (Integer, Default: 1) > Var: bind (Integer, Default: 0) > Var: seq_local (Integer, Default: 0) > Var: seq_global (Integer, Default: 0) > Var: numeric_label (Integer, Default: 0) > Var: netlink_socket_buffer_size (Integer, Default: 0) > Var: netlink_socket_buffer_maxsize (Integer, Default: 0) > Var: netlink_qthreshold (Integer, Default: 0) > Var: netlink_qtimeout (Integer, Default: 0) >Input keys: > Input plugin, No keys >Output keys: > Key: raw.mac (raw data) > Key: raw.pkt (raw data) > Key: raw.pktlen (unsigned int 32) > Key: raw.pktcount (unsigned int 32) > Key: oob.prefix (string) > Key: oob.time.sec (unsigned int 32) > Key: oob.time.usec (unsigned int 32) > Key: oob.mark (unsigned int 32) > Key: oob.ifindex_in (unsigned int 32) > Key: oob.ifindex_out (unsigned int 32) > Key: oob.hook (unsigned int 8) > Key: raw.mac_len (unsigned int 16) > Key: oob.seq.local (unsigned int 32) > Key: oob.seq.global (unsigned int 32) > Key: oob.family (unsigned int 8) > Key: oob.protocol (unsigned int 16) > Key: oob.uid (unsigned int 32) > Key: oob.gid (unsigned int 32) > Key: raw.label (unsigned int 8) > Key: raw.type (unsigned int 16) > Key: raw.mac.saddr (raw data) > Key: raw.mac.addrlen (unsigned int 16) > Key: raw (raw data) > >Reverting ulogd.conf file to use ULOG instead of NFLOG, allows ulogd to run, but NFLOG is probably what is in the kernel, hence this change does log anything. > >Any suggestions on getting NFLOG to work? > >Wayne I found the problem with ulogd not starting. Reading through the example config: /usr/share/doc/ulogd/ulogd.conf I noticed that the /etc/ulogd.conf file from the recent system upgrade is incorrect. Here is the corrected ulogd.conf, which was missing the IFINDEX plugin in the stack: [global] logfile="/var/log/ulogd.log" loglevel=5 rmem=131071 bufsize=150000 plugin="/usr/lib/ulogd/ulogd_inppkt_NFLOG.so" plugin="/usr/lib/ulogd/ulogd_raw2packet_BASE.so" plugin="/usr/lib/ulogd/ulogd_filter_IFINDEX.so" plugin="/usr/lib/ulogd/ulogd_filter_IP2STR.so" plugin="/usr/lib/ulogd/ulogd_filter_PRINTPKT.so" plugin="/usr/lib/ulogd/ulogd_output_LOGEMU.so" #stack=log1:NFLOG,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU [log1] group=1 [emu1] file=/var/log/ulogd.syslogemu Wayne S
