# app-admin/ulogd-2.0.7 fails to create pid file

## Robert S

I have just upgraded app-admin/ulogd to the latest version.   It fails to start with the error

 *Quote:*   

> start-stop-daemon: did not create a valid pid in `/run/ulogd.pid'

 

I assume that this is a permissions problem.  Is there a fix or should I downgrade to the old version and wait for a fix?  I prefer not to tamper with the init file.

[UPDATE]

I've just downgraded ulogd and have had the same problem.  I've also tried changing the pid file folder writeable by the user ulog, but no luck

----------

## massimo

I suppose you've merged all changes to the configuration file. The new configuration file does now load all modules at start. You can also check ulogd's log for missing modules.

----------

## Robert S

Thanks.  I've used the new config file.  I've uncommented the first stack and have left everything else unchanged:

```
# this is a stack for logging packet send by system via LOGEMU

stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
```

I get this: *Quote:*   

> # /usr/sbin/ulogd --pidfile /run/ulogd.pid -v
> 
> Mon Jul  2 18:00:48 2018 <5> ulogd.c:744 loading all plugins at /usr/lib64/ulogd
> 
> Mon Jul  2 18:00:48 2018 <5> ulogd.c:407 registering plugin `HWHDR'
> ...

 

I've been trying to get ulogd to write firewall logs to /var/log/ulogd/ulogd_syslogemu.log.  My kernel has NFLOG compiled in: *Quote:*   

> # lsmod |grep NFLOG
> 
> xt_NFLOG               16384  9
> 
> nfnetlink_log          20480  3 xt_NFLOG
> ...

 

----------

## massimo

Please post the complete configuration file.

----------

## Robert S

Here it is:

```
# Example configuration for ulogd

# Adapted to Debian by Achilleas Kotsis <achille@debian.gr>

[global]

######################################################################

# GLOBAL OPTIONS

######################################################################

# logfile for status messages

logfile="/var/log/ulogd.log"

# loglevel: debug(1), info(3), notice(5), error(7) or fatal(8) (default 5)

# loglevel=1

######################################################################

# PLUGIN OPTIONS

######################################################################

# We have to configure and load all the plugins we want to use

# general rules:

#

# 0. don't specify any plugin for ulogd to load them all

# 1. load the plugins _first_ from the global section

# 2. options for each plugin in seperate section below

#plugin="@pkglibdir@/ulogd_inppkt_NFLOG.so"

#plugin="@pkglibdir@/ulogd_inppkt_ULOG.so"

#plugin="@pkglibdir@/ulogd_inppkt_UNIXSOCK.so"

#plugin="@pkglibdir@/ulogd_inpflow_NFCT.so"

#plugin="@pkglibdir@/ulogd_filter_IFINDEX.so"

#plugin="@pkglibdir@/ulogd_filter_IP2STR.so"

#plugin="@pkglibdir@/ulogd_filter_IP2BIN.so"

#plugin="@pkglibdir@/ulogd_filter_IP2HBIN.so"

#plugin="@pkglibdir@/ulogd_filter_PRINTPKT.so"

#plugin="@pkglibdir@/ulogd_filter_HWHDR.so"

#plugin="@pkglibdir@/ulogd_filter_PRINTFLOW.so"

#plugin="@pkglibdir@/ulogd_filter_MARK.so"

#plugin="@pkglibdir@/ulogd_output_LOGEMU.so"

#plugin="@pkglibdir@/ulogd_output_SYSLOG.so"

#plugin="@pkglibdir@/ulogd_output_XML.so"

#plugin="@pkglibdir@/ulogd_output_SQLITE3.so"

#plugin="@pkglibdir@/ulogd_output_GPRINT.so"

#plugin="@pkglibdir@/ulogd_output_NACCT.so"

#plugin="@pkglibdir@/ulogd_output_PCAP.so"

#plugin="@pkglibdir@/ulogd_output_PGSQL.so"

#plugin="@pkglibdir@/ulogd_output_MYSQL.so"

#plugin="@pkglibdir@/ulogd_output_DBI.so"

#plugin="@pkglibdir@/ulogd_raw2packet_BASE.so"

#plugin="@pkglibdir@/ulogd_inpflow_NFACCT.so"

#plugin="@pkglibdir@/ulogd_output_GRAPHITE.so"

#plugin="@pkglibdir@/ulogd_output_JSON.so"

# this is a stack for logging packet send by system via LOGEMU

# UNCOMMENTED

stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU

# this is a stack for packet-based logging via LOGEMU

#stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU

# this is a stack for ULOG packet-based logging via LOGEMU

#stack=ulog1:ULOG,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU

# this is a stack for packet-based logging via LOGEMU with filtering on MARK

#stack=log2:NFLOG,base1:BASE,mark1:MARK,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU

# this is a stack for packet-based logging via GPRINT

#stack=log1:NFLOG,gp1:GPRINT

# this is a stack for flow-based logging via LOGEMU

#stack=ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,emu1:LOGEMU

# this is a stack for flow-based logging via GPRINT

#stack=ct1:NFCT,gp1:GPRINT

# this is a stack for flow-based logging via XML

#stack=ct1:NFCT,xml1:XML

# this is a stack for logging in XML

#stack=log1:NFLOG,xml1:XML

# this is a stack for accounting-based logging via XML

#stack=acct1:NFACCT,xml1:XML

# this is a stack for accounting-based logging to a Graphite server

#stack=acct1:NFACCT,graphite1:GRAPHITE

# this is a stack for NFLOG packet-based logging to PCAP

#stack=log2:NFLOG,base1:BASE,pcap1:PCAP

# this is a stack for logging packet to MySQL

#stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2bin1:IP2BIN,mac2str1:HWHDR,mysql1:MYSQL

# this is a stack for logging packet to PGsql after a collect via NFLOG

#stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:HWHDR,pgsql1:PGSQL

# this is a stack for logging packet to JSON formatted file after a collect via NFLOG

#stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:HWHDR,json1:JSON

# this is a stack for logging packets to syslog after a collect via NFLOG

#stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG

# this is a stack for logging packets to syslog after a collect via NuFW

#stack=nuauth1:UNIXSOCK,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG

# this is a stack for flow-based logging to MySQL

#stack=ct1:NFCT,ip2bin1:IP2BIN,mysql2:MYSQL

# this is a stack for flow-based logging to PGSQL

#stack=ct1:NFCT,ip2str1:IP2STR,pgsql2:PGSQL

# this is a stack for flow-based logging to PGSQL without local hash

#stack=ct1:NFCT,ip2str1:IP2STR,pgsql3:PGSQL

# this is a stack for flow-based logging to SQLITE3

#stack=ct1:NFCT,sqlite3_ct:SQLITE3

# this is a stack for logging packet to SQLITE3

#stack=log1:NFLOG,sqlite3_pkt:SQLITE3

# this is a stack for flow-based logging in NACCT compatible format

#stack=ct1:NFCT,ip2str1:IP2STR,nacct1:NACCT

# this is a stack for accounting-based logging via GPRINT

#stack=acct1:NFACCT,gp1:GPRINT

[ct1]

#netlink_socket_buffer_size=217088

#netlink_socket_buffer_maxsize=1085440

#netlink_resync_timeout=60 # seconds to wait to perform resynchronization

#pollinterval=10 # use poll-based logging instead of event-driven

# If pollinterval is not set, NFCT plugin will work in event mode

# In this case, you can use the following filters on events:

#accept_src_filter=192.168.1.0/24,1:2::/64 # source ip of connection must belong to these networks

#accept_dst_filter=192.168.1.0/24 # destination ip of connection must belong to these networks

#accept_proto_filter=tcp,sctp # layer 4 proto of connections

[ct2]

#netlink_socket_buffer_size=217088

#netlink_socket_buffer_maxsize=1085440

#reliable=1 # enable reliable flow-based logging (may drop packets)

hash_enable=0

# Logging of system packet through NFLOG

[log1]

# netlink multicast group (the same as the iptables --nflog-group param)

# Group O is used by the kernel to log connection tracking invalid message

group=0

#netlink_socket_buffer_size=217088

#netlink_socket_buffer_maxsize=1085440

# set number of packet to queue inside kernel

#netlink_qthreshold=1

# set the delay before flushing packet in the queue inside kernel (in 10ms)

#netlink_qtimeout=100

# packet logging through NFLOG for group 1

[log2]

# netlink multicast group (the same as the iptables --nflog-group param)

group=1 # Group has to be different from the one use in log1

#netlink_socket_buffer_size=217088

#netlink_socket_buffer_maxsize=1085440

# If your kernel is older than 2.6.29 and if a NFLOG input plugin with

# group 0 is not used by any stack, you need to have at least one NFLOG

# input plugin with bind set to 1. If you don't do that you may not

# receive any message from the kernel.

#bind=1

# packet logging through NFLOG for group 2, numeric_label is

# set to 1

[log3]

# netlink multicast group (the same as the iptables --nflog-group param)

group=2 # Group has to be different from the one use in log1/log2

numeric_label=1 # you can label the log info based on the packet verdict

#netlink_socket_buffer_size=217088

#netlink_socket_buffer_maxsize=1085440

#bind=1

[ulog1]

# netlink multicast group (the same as the iptables --ulog-nlgroup param)

nlgroup=1

#numeric_label=0 # optional argument

[nuauth1]

socket_path="/tmp/nuauth_ulogd2.sock"

[emu1]

file="/var/log/ulogd_syslogemu.log"

sync=1

[op1]

file="/var/log/ulogd_oprint.log"

sync=1

[gp1]

file="/var/log/ulogd_gprint.log"

sync=1

timestamp=1

[xml1]

directory="/var/log/"

sync=1

[json1]

sync=1

#file="/var/log/ulogd.json"

#timestamp=0

# device name to be used in JSON message

#device="My awesome Netfilter firewall"

# If boolean_label is set to 1 then the numeric_label put on packet

# by the input plugin is coding the action on packet: if 0, then

# packet has been blocked and if non null it has been accepted.

#boolean_label=1

# Uncomment the following line to use JSON v1 event format that

# can provide better compatility with some JSON file reader.

#eventv1=1

[pcap1]

#default file is /var/log/ulogd.pcap

#file="/var/log/ulogd.pcap"

sync=1

[mysql1]

db="nulog"

host="localhost"

user="nupik"

table="ulog"

pass="changeme"

procedure="INSERT_PACKET_FULL"

# backlog configuration:

# set backlog_memcap to the size of memory that will be

# allocated to store events in memory if data is temporary down

# and insert them when the database came back.

#backlog_memcap=1000000

# number of events to insert at once when backlog is not empty

#backlog_oneshot_requests=10

[mysql2]

db="nulog"

host="localhost"

user="nupik"

table="conntrack"

pass="changeme"

procedure="INSERT_CT"

[pgsql1]

db="nulog"

host="localhost"

user="nupik"

table="ulog"

#schema="public"

pass="changeme"

procedure="INSERT_PACKET_FULL"

# connstring can be used to define PostgreSQL connection string which

# contains all parameters of the connection. If set, this value has

# precedence on other variables used to build the connection string.

# See http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING

# for a complete description of options.

#connstring="host=localhost port=4321 dbname=nulog user=nupik password=changeme"

#backlog_memcap=1000000

#backlog_oneshot_requests=10

# If superior to 1 a thread dedicated to SQL request execution

# is created. The value stores the number of SQL request to keep

# in the ring buffer

#ring_buffer_size=1000

[pgsql2]

db="nulog"

host="localhost"

user="nupik"

table="ulog2_ct"

#schema="public"

pass="changeme"

procedure="INSERT_CT"

[pgsql3]

db="nulog"

host="localhost"

user="nupik"

table="ulog2_ct"

#schema="public"

pass="changeme"

procedure="INSERT_OR_REPLACE_CT"

[pgsql4]

db="nulog"

host="localhost"

user="nupik"

table="nfacct"

#schema="public"

pass="changeme"

procedure="INSERT_NFACCT"

[dbi1]

db="ulog2"

dbtype="pgsql"

host="localhost"

user="ulog2"

table="ulog"

pass="ulog2"

procedure="INSERT_PACKET_FULL"

[sqlite3_ct]

table="ulog_ct"

db="/var/log/ulogd.sqlite3db"

[sqlite3_pkt]

table="ulog_pkt"

db="/var/log/ulogd.sqlite3db"

[sys2]

facility=LOG_LOCAL2

[nacct1]

sync = 1

#file = /var/log/ulogd_nacct.log

[mark1]

mark = 1

[acct1]

pollinterval = 2

# If set to 0, we don't reset the counters for each polling (default is 1).

#zerocounter = 0

# Set timestamp (default is 0, which means not set). This timestamp can be

# interpreted by the output plugin.

#timestamp = 1

[graphite1]

host="127.0.0.1"

port="2003"

# Prefix of data name sent to graphite server

prefix="netfilter.nfacct"

```

----------

## massimo

The configuration file tells me that the required plugins are not loaded. The block containing the plugins should look like this:

```

plugin="/usr/lib64/ulogd/ulogd_inppkt_NFLOG.so"

#plugin="/usr/lib64/ulogd/ulogd_inppkt_ULOG.so"

#plugin="/usr/lib64/ulogd/ulogd_inppkt_UNIXSOCK.so"

#plugin="/usr/lib64/ulogd/ulogd_inpflow_NFCT.so"

plugin="/usr/lib64/ulogd/ulogd_filter_IFINDEX.so"

plugin="/usr/lib64/ulogd/ulogd_filter_IP2STR.so"

#plugin="/usr/lib64/ulogd/ulogd_filter_IP2BIN.so"

#plugin="/usr/lib64/ulogd/ulogd_filter_IP2HBIN.so"

plugin="/usr/lib64/ulogd/ulogd_filter_PRINTPKT.so"

#plugin="/usr/lib64/ulogd/ulogd_filter_HWHDR.so"

#plugin="/usr/lib64/ulogd/ulogd_filter_PRINTFLOW.so"

#plugin="/usr/lib64/ulogd/ulogd_filter_MARK.so"

plugin="/usr/lib64/ulogd/ulogd_output_LOGEMU.so"

#plugin="/usr/lib64/ulogd/ulogd_output_SYSLOG.so"

#plugin="/usr/lib64/ulogd/ulogd_output_XML.so"

#plugin="/usr/lib64/ulogd/ulogd_output_SQLITE3.so"

#plugin="/usr/lib64/ulogd/ulogd_output_GPRINT.so"

#plugin="/usr/lib64/ulogd/ulogd_output_NACCT.so"

#plugin="/usr/lib64/ulogd/ulogd_output_PCAP.so"

#plugin="/usr/lib64/ulogd/ulogd_output_PGSQL.so"

#plugin="/usr/lib64/ulogd/ulogd_output_MYSQL.so"

#plugin="/usr/lib64/ulogd/ulogd_output_DBI.so"

plugin="/usr/lib64/ulogd/ulogd_raw2packet_BASE.so"

#plugin="/usr/lib64/ulogd/ulogd_inpflow_NFACCT.so"

#plugin="/usr/lib64/ulogd/ulogd_output_GRAPHITE.so"

#plugin="/usr/lib64/ulogd/ulogd_output_JSON.so"

```

----------

## Robert S

Sadly still no luck: *Quote:*   

>  # /usr/sbin/ulogd --pidfile /run/ulogd.pid -v
> 
> Mon Jul  2 22:32:09 2018 <5> ulogd.c:407 registering plugin `NFLOG'
> 
> Mon Jul  2 22:32:09 2018 <5> ulogd.c:407 registering plugin `IFINDEX'
> ...

 

Here is my config - minus comments

```
[global]

logfile="/var/log/ulogd.log"

plugin="/usr/lib64/ulogd/ulogd_inppkt_NFLOG.so"

plugin="/usr/lib64/ulogd/ulogd_filter_IFINDEX.so"

plugin="/usr/lib64/ulogd/ulogd_filter_IP2STR.so"

plugin="/usr/lib64/ulogd/ulogd_filter_PRINTPKT.so"

plugin="/usr/lib64/ulogd/ulogd_output_LOGEMU.so"

plugin="/usr/lib64/ulogd/ulogd_raw2packet_BASE.so"

stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU

[ct1]

[ct2]

hash_enable=0

[log1]

group=0

[log2]

group=1 # Group has to be different from the one use in log1

[log3]

group=2 # Group has to be different from the one use in log1/log2

numeric_label=1 # you can label the log info based on the packet verdict

[ulog1]

nlgroup=1

[nuauth1]

socket_path="/tmp/nuauth_ulogd2.sock"

[emu1]

file="/var/log/ulogd_syslogemu.log"

sync=1

[op1]

file="/var/log/ulogd_oprint.log"

sync=1

[gp1]

file="/var/log/ulogd_gprint.log"

sync=1

timestamp=1

[xml1]

directory="/var/log/"

sync=1

[json1]

sync=1

[pcap1]

sync=1

[mysql1]

db="nulog"

host="localhost"

user="nupik"

table="ulog"

pass="changeme"

procedure="INSERT_PACKET_FULL"

[mysql2]

db="nulog"

host="localhost"

user="nupik"

table="conntrack"

pass="changeme"

procedure="INSERT_CT"

[pgsql1]

db="nulog"

host="localhost"

user="nupik"

table="ulog"

pass="changeme"

procedure="INSERT_PACKET_FULL"

[pgsql2]

db="nulog"

host="localhost"

user="nupik"

table="ulog2_ct"

pass="changeme"

procedure="INSERT_CT"

[pgsql3]

db="nulog"

host="localhost"

user="nupik"

table="ulog2_ct"

pass="changeme"

procedure="INSERT_OR_REPLACE_CT"

[pgsql4]

db="nulog"

host="localhost"

user="nupik"

table="nfacct"

pass="changeme"

procedure="INSERT_NFACCT"

[dbi1]

db="ulog2"

dbtype="pgsql"

host="localhost"

user="ulog2"

table="ulog"

pass="ulog2"

procedure="INSERT_PACKET_FULL"

[sqlite3_ct]

table="ulog_ct"

db="/var/log/ulogd.sqlite3db"

[sqlite3_pkt]

table="ulog_pkt"

db="/var/log/ulogd.sqlite3db"

[sys2]

facility=LOG_LOCAL2

[nacct1]

sync = 1

[mark1]

mark = 1

[acct1]

pollinterval = 2

[graphite1]

host="127.0.0.1"

port="2003"

prefix="netfilter.nfacct"

```

----------

## massimo

Does the file /var/log/ulogd_syslogemu.log exist?

----------

## Robert S

I've got /var/log/ulogd/ulogd_syslogemu.log, but not /var/log/ulogd_syslogemu.log

Interestingly daemon errors were previously written to /var/log/ulogd/ulogd.log but are now appearing in /var/log/ulogd.log

I've tried creating an emtpy /var/log/ulogd_syslogemu.log, but it still fails to start

----------

## massimo

Set loglevel to debug and try again, eventually there is more information in the logs to see then.

----------

## Robert S

Just noticed that the location of ulogd.log has changed in the config file.  Here is the debug output: *Quote:*   

> Tue Jul  3 19:08:26 2018 <5> ulogd.c:407 registering plugin `NFLOG'
> 
> Tue Jul  3 19:08:26 2018 <5> ulogd.c:407 registering plugin `IFINDEX'
> 
> Tue Jul  3 19:08:26 2018 <5> ulogd.c:407 registering plugin `IP2STR'
> ...

 

----------

## massimo

Is ulogd already running when you try to start it?

----------

## Robert S

Yes *Quote:*   

> mypc ~ # killall ulogd
> 
> mypc ~ # /etc/init.d/ulogd start
> 
>  * Starting ulogd ...                                                                                                                                                                                                                  [ ok ]
> ...

 Many thanks for your patience in sorting this out.   :Very Happy: 

----------

