Node:ulog-acctd, Next:Invokation, Previous:Netfilter, Up:Configuration

ulog-acctd

Per default, configuration is done via the file /etc/ulog-acctd.conf. The following keywords are recognized:

• multicast groups = LIST: LIST is a comma-separated list of multicast groups that ulog-acctd should listen to. Possible values are 1-32.
• accounting file = FILENAME, dump file FILENAME, debug file FILENAME: Locations for the accounting file, dump file, debug log.
• debug = LIST: LIST is a comma-spearated list of debug message types. Valid debug message types are: config, state, syscall, misc, statistics, signal, error, annoying.
• accounting format = STRING: STRING is a format string with somewhat similar syntax to printf(3). The following directives are recognized and replaced in the output file.

  %h

  hostname
  

  %t

  timestamp
  

  %p

  protocol
  

  %s

  source IP
  

  %S

  source port
  

  %d

  destination IP
  

  %D

  destination port
  

  %P

  packets
  

  %b

  bytes
  

  %i

  incoming interface
  

  %o

  outgoing interface
  

  %r

  prefix
  

  \t

  tab
  

  \n

  newline
  

  \\

  Literal \
  

  \"

  Literal "
  

  \%

  Literal %
  

  %%

  Literal %

• empty interface = STRING: If no incoming or outgoing interface is passed for a packet, insert STRING instead.
• empty prefix = STRING: If no ULOG-prefix is passed for a packet, insert STRING instead.
• flush = TIME: The data that has been accumulated in a in-memory structure is written to the accounting file every TIME seconds.
• fdelay = TIME: A certain record of traffic information may be written out after TIME seconds. This helps making the logfiles smaller since only one output record will be generated for related traffic

Example:

multicast groups=1
accounting file = /var/log/ulog-acctd/account.log
dump file =       /var/log/ulog-acctd/dump
debug file =      /var/log/ulog-acctd/debug.log
debug = error
accounting format = "%h\t%t\t%p\t%s\t%S\t%d\t%D\t%P\t%b\t\"%i\"\t\"%o\"\t\"%f\"\n"
flush = 30
fdelay = 30

The supplied accounting format string generates output records in the following form (all in one line, with a linefeed at the end):

judith	1032521454	6	192.168.42.11	110	192.168.215.71	1546	12	250113	"eth0"	"eth1"	"prefix"

The following format string will generate CISCO "ip accounting output-packets"-style output lines:

accounting format = "%s %d %P %b\n"

192.168.42.11 192.168.215.71 12	250113

When not all types of information are collected, ulog-acctd will have to do fewer comparisions for each packet while collecting data. Records are smaller and likely fewer records will be written out. This will be the case especially if port information are not collected.