Logging
The following scenarios show how to configure the conntrack logging option with different traffic policies and services enabled, in order to check that all fields are displayed correctly and all events are captured.
New events
Description
Check NEW sessions events are captured
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set system conntrack logging events new set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.397 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.397/0.397/0.397/0.000 ms
Step 4: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.264 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.264/0.264/0.264/0.000 ms
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
ulogd\[.*\]:.*\[NEW\].*SRC=192.168.100.2Show output
Jun 24 12:36:08.359118 osdx systemd-journald[1663]: Runtime Journal (/run/log/journal/a9c8f5b24ca148a6b10e0198640df300) is 2.1M, max 15.3M, 13.2M free. Jun 24 12:36:08.360858 osdx systemd-journald[1663]: Received client request to rotate journal, rotating. Jun 24 12:36:08.360926 osdx systemd-journald[1663]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a9c8f5b24ca148a6b10e0198640df300. Jun 24 12:36:08.364890 osdx sudo[134140]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:36:08.373763 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'system journal clear'. Jun 24 12:36:08.619905 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'system coredump delete all'. Jun 24 12:36:08.988150 osdx OSDxCLI[127378]: User 'admin' entered the configuration menu. Jun 24 12:36:09.072844 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 192.168.100.1/24'. Jun 24 12:36:09.162545 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set system conntrack logging events new'. Jun 24 12:36:09.241185 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'show working'. Jun 24 12:36:09.346939 osdx ubnt-cfgd[134165]: inactive Jun 24 12:36:09.367286 osdx INFO[134173]: FRR daemons did not change Jun 24 12:36:09.392848 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 24 12:36:09.457519 osdx sudo[134261]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:36:09.497165 osdx systemd[1]: Starting ulogd2.service - Netfilter Userspace Logging Daemon... Jun 24 12:36:09.500082 osdx systemd[1]: Started ulogd2.service - Netfilter Userspace Logging Daemon. Jun 24 12:36:09.501952 osdx cfgd[1460]: [127378]Completed change to active configuration Jun 24 12:36:09.503420 osdx ulogd[134264]: registering plugin `NFCT' Jun 24 12:36:09.504449 osdx ulogd[134264]: registering plugin `IP2STR' Jun 24 12:36:09.504562 osdx ulogd[134264]: registering plugin `PRINTFLOW' Jun 24 12:36:09.505719 osdx ulogd[134264]: registering plugin `SYSLOG' Jun 24 12:36:09.505767 osdx ulogd[134264]: building new pluginstance stack: 'ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,sys1:SYSLOG' Jun 24 12:36:09.505849 osdx ulogd[134264]: NFCT plugin working in event mode Jun 24 12:36:09.505890 osdx ulogd[134264]: Changing UID / GID Jun 24 12:36:09.506000 osdx ulogd[134264]: initialization finished, entering main loop Jun 24 12:36:09.516856 osdx OSDxCLI[127378]: User 'admin' committed the configuration. Jun 24 12:36:09.535575 osdx OSDxCLI[127378]: User 'admin' left the configuration menu. Jun 24 12:36:10.366011 osdx ulogd[134264]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 Jun 24 12:36:10.456030 osdx ulogd[134264]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0
Update events
Description
Check UPDATE sessions events are captured
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set system conntrack logging events update set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.415 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.415/0.415/0.415/0.000 ms
Step 4: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.263 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.263/0.263/0.263/0.000 ms
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
ulogd\[.*\]:.*\[UPDATE\].*SRC=192.168.100.2Show output
Jun 24 12:36:15.312804 osdx systemd-journald[1663]: Runtime Journal (/run/log/journal/a9c8f5b24ca148a6b10e0198640df300) is 2.0M, max 15.3M, 13.3M free. Jun 24 12:36:15.313930 osdx systemd-journald[1663]: Received client request to rotate journal, rotating. Jun 24 12:36:15.313976 osdx systemd-journald[1663]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a9c8f5b24ca148a6b10e0198640df300. Jun 24 12:36:15.317453 osdx sudo[134424]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:36:15.324446 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'system journal clear'. Jun 24 12:36:15.550140 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'system coredump delete all'. Jun 24 12:36:15.824763 osdx OSDxCLI[127378]: User 'admin' entered the configuration menu. Jun 24 12:36:15.924064 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 192.168.100.1/24'. Jun 24 12:36:16.000602 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set system conntrack logging events update'. Jun 24 12:36:16.124572 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'show working'. Jun 24 12:36:16.191863 osdx ubnt-cfgd[134449]: inactive Jun 24 12:36:16.213905 osdx INFO[134457]: FRR daemons did not change Jun 24 12:36:16.237948 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 24 12:36:16.299635 osdx sudo[134545]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:36:16.342399 osdx systemd[1]: Starting ulogd2.service - Netfilter Userspace Logging Daemon... Jun 24 12:36:16.343473 osdx systemd[1]: Started ulogd2.service - Netfilter Userspace Logging Daemon. Jun 24 12:36:16.343573 osdx ulogd[134548]: registering plugin `NFCT' Jun 24 12:36:16.343779 osdx ulogd[134548]: registering plugin `IP2STR' Jun 24 12:36:16.343847 osdx ulogd[134548]: registering plugin `PRINTFLOW' Jun 24 12:36:16.343918 osdx ulogd[134548]: registering plugin `SYSLOG' Jun 24 12:36:16.343943 osdx ulogd[134548]: building new pluginstance stack: 'ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,sys1:SYSLOG' Jun 24 12:36:16.344014 osdx ulogd[134548]: NFCT plugin working in event mode Jun 24 12:36:16.344043 osdx ulogd[134548]: Changing UID / GID Jun 24 12:36:16.344137 osdx ulogd[134548]: initialization finished, entering main loop Jun 24 12:36:16.345177 osdx cfgd[1460]: [127378]Completed change to active configuration Jun 24 12:36:16.359813 osdx OSDxCLI[127378]: User 'admin' committed the configuration. Jun 24 12:36:16.383982 osdx OSDxCLI[127378]: User 'admin' left the configuration menu. Jun 24 12:36:17.326346 osdx ulogd[134548]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 Jun 24 12:36:17.451238 osdx ulogd[134548]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0
Destroy events
Description
Check DESTROY sessions events are captured
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set service ssh set system conntrack logging events destroy set system conntrack timeout icmp 1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.442 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.442/0.442/0.442/0.000 ms
Step 4: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 3 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.219 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=0.293 ms 64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=0.262 ms --- 192.168.100.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2036ms rtt min/avg/max/mdev = 0.219/0.258/0.293/0.030 ms
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
ulogd\[.*\]:.*\[DESTROY\].*SRC=192.168.100.2Show output
Jun 24 12:36:22.351569 osdx systemd-journald[1663]: Runtime Journal (/run/log/journal/a9c8f5b24ca148a6b10e0198640df300) is 2.0M, max 15.3M, 13.3M free. Jun 24 12:36:22.352547 osdx systemd-journald[1663]: Received client request to rotate journal, rotating. Jun 24 12:36:22.352599 osdx systemd-journald[1663]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a9c8f5b24ca148a6b10e0198640df300. Jun 24 12:36:22.355724 osdx sudo[134706]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:36:22.361638 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'system journal clear'. Jun 24 12:36:22.656368 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'system coredump delete all'. Jun 24 12:36:22.887022 osdx OSDxCLI[127378]: User 'admin' entered the configuration menu. Jun 24 12:36:22.964994 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 192.168.100.1/24'. Jun 24 12:36:23.051370 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set system conntrack logging events destroy'. Jun 24 12:36:23.144521 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set system conntrack timeout icmp 1'. Jun 24 12:36:23.247102 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set service ssh'. Jun 24 12:36:23.323405 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'show working'. Jun 24 12:36:23.429072 osdx ubnt-cfgd[134733]: inactive Jun 24 12:36:23.458455 osdx INFO[134747]: FRR daemons did not change Jun 24 12:36:23.484538 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 24 12:36:23.538304 osdx sudo[134837]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:36:23.604823 osdx systemd[1]: Starting ulogd2.service - Netfilter Userspace Logging Daemon... Jun 24 12:36:23.605670 osdx systemd[1]: Started ulogd2.service - Netfilter Userspace Logging Daemon. Jun 24 12:36:23.605831 osdx ulogd[134840]: registering plugin `NFCT' Jun 24 12:36:23.606080 osdx ulogd[134840]: registering plugin `IP2STR' Jun 24 12:36:23.606172 osdx ulogd[134840]: registering plugin `PRINTFLOW' Jun 24 12:36:23.606255 osdx ulogd[134840]: registering plugin `SYSLOG' Jun 24 12:36:23.606287 osdx ulogd[134840]: building new pluginstance stack: 'ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,sys1:SYSLOG' Jun 24 12:36:23.606371 osdx ulogd[134840]: NFCT plugin working in event mode Jun 24 12:36:23.606409 osdx ulogd[134840]: Changing UID / GID Jun 24 12:36:23.606515 osdx ulogd[134840]: initialization finished, entering main loop Jun 24 12:36:23.649905 osdx systemd[1]: Starting ssh.service - OpenBSD Secure Shell server... Jun 24 12:36:23.662066 osdx sshd[134846]: Server listening on 0.0.0.0 port 22. Jun 24 12:36:23.662248 osdx sshd[134846]: Server listening on :: port 22. Jun 24 12:36:23.662354 osdx systemd[1]: Started ssh.service - OpenBSD Secure Shell server. Jun 24 12:36:23.742043 osdx cfgd[1460]: [127378]Completed change to active configuration Jun 24 12:36:23.753198 osdx OSDxCLI[127378]: User 'admin' committed the configuration. Jun 24 12:36:23.788301 osdx OSDxCLI[127378]: User 'admin' left the configuration menu. Jun 24 12:36:25.809067 osdx ulogd[134840]: [DESTROY] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=1 BYTES=84 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=1 BYTES=84 Jun 24 12:36:26.832809 osdx ulogd[134840]: [DESTROY] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=1 BYTES=84 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=1 BYTES=84
Default logging
Description
Set a simple configuration, send a ping command from one device to other
and check that default fields appear when running system journal show.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set system conntrack logging events all set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.318 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.318/0.318/0.318/0.000 ms
Step 4: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.255 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.255/0.255/0.255/0.000 ms
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
ulogd\[.*\]:.*\[((NEW)|(UPDATE)|(DESTROY))\].*SRC=192.168.100.2Show output
Jun 24 12:36:34.322536 osdx systemd-journald[1663]: Runtime Journal (/run/log/journal/a9c8f5b24ca148a6b10e0198640df300) is 2.0M, max 15.3M, 13.3M free. Jun 24 12:36:34.325361 osdx systemd-journald[1663]: Received client request to rotate journal, rotating. Jun 24 12:36:34.325435 osdx systemd-journald[1663]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a9c8f5b24ca148a6b10e0198640df300. Jun 24 12:36:34.327615 osdx sudo[135029]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:36:34.333966 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'system journal clear'. Jun 24 12:36:34.561031 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'system coredump delete all'. Jun 24 12:36:34.818304 osdx OSDxCLI[127378]: User 'admin' entered the configuration menu. Jun 24 12:36:34.895153 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 192.168.100.1/24'. Jun 24 12:36:34.987278 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set system conntrack logging events all'. Jun 24 12:36:35.067216 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'show working'. Jun 24 12:36:35.177837 osdx ubnt-cfgd[135054]: inactive Jun 24 12:36:35.197651 osdx INFO[135062]: FRR daemons did not change Jun 24 12:36:35.221357 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 24 12:36:35.276014 osdx sudo[135150]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:36:35.305746 osdx systemd[1]: Starting ulogd2.service - Netfilter Userspace Logging Daemon... Jun 24 12:36:35.306755 osdx systemd[1]: Started ulogd2.service - Netfilter Userspace Logging Daemon. Jun 24 12:36:35.306933 osdx ulogd[135153]: registering plugin `NFCT' Jun 24 12:36:35.307137 osdx ulogd[135153]: registering plugin `IP2STR' Jun 24 12:36:35.307208 osdx ulogd[135153]: registering plugin `PRINTFLOW' Jun 24 12:36:35.307274 osdx ulogd[135153]: registering plugin `SYSLOG' Jun 24 12:36:35.307301 osdx ulogd[135153]: building new pluginstance stack: 'ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,sys1:SYSLOG' Jun 24 12:36:35.307366 osdx ulogd[135153]: NFCT plugin working in event mode Jun 24 12:36:35.307399 osdx ulogd[135153]: Changing UID / GID Jun 24 12:36:35.307487 osdx ulogd[135153]: initialization finished, entering main loop Jun 24 12:36:35.308088 osdx cfgd[1460]: [127378]Completed change to active configuration Jun 24 12:36:35.319583 osdx OSDxCLI[127378]: User 'admin' committed the configuration. Jun 24 12:36:35.341452 osdx OSDxCLI[127378]: User 'admin' left the configuration menu. Jun 24 12:36:36.174845 osdx ulogd[135153]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 Jun 24 12:36:36.174874 osdx ulogd[135153]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 Jun 24 12:36:36.252128 osdx ulogd[135153]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 Jun 24 12:36:36.252152 osdx ulogd[135153]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0
Identity logging
Description
Set a simple configuration with identity OSDx_DUT0 for logs entries, send a ping command from one device to other
and check that the identity has changed when running system journal show.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set system conntrack logging events all set system conntrack logging identity OSDx_DUT0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.358 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.358/0.358/0.358/0.000 ms
Step 4: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.248 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.248/0.248/0.248/0.000 ms
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
OSDx_DUT0\[.*\]:.*\[((NEW)|(UPDATE)|(DESTROY))\].*SRC=192.168.100.2Show output
Jun 24 12:36:40.000203 osdx systemd-timedated[133272]: Changed local time to Tue 2025-06-24 12:36:40 UTC Jun 24 12:36:40.002105 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'set date 2025-06-24 12:36:40'. Jun 24 12:36:40.002836 osdx systemd-journald[1663]: Time jumped backwards, rotating. Jun 24 12:36:40.334115 osdx sudo[135313]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:36:40.338269 osdx systemd-journald[1663]: Runtime Journal (/run/log/journal/a9c8f5b24ca148a6b10e0198640df300) is 2.0M, max 15.3M, 13.3M free. Jun 24 12:36:40.338856 osdx systemd-journald[1663]: Received client request to rotate journal, rotating. Jun 24 12:36:40.338900 osdx systemd-journald[1663]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a9c8f5b24ca148a6b10e0198640df300. Jun 24 12:36:40.342678 osdx sudo[135312]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:36:40.348967 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'system journal clear'. Jun 24 12:36:40.601356 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'system coredump delete all'. Jun 24 12:36:40.819407 osdx OSDxCLI[127378]: User 'admin' entered the configuration menu. Jun 24 12:36:40.898639 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 192.168.100.1/24'. Jun 24 12:36:41.001635 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set system conntrack logging events all'. Jun 24 12:36:41.060086 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set system conntrack logging identity OSDx_DUT0'. Jun 24 12:36:41.181186 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'show working'. Jun 24 12:36:41.250142 osdx ubnt-cfgd[135338]: inactive Jun 24 12:36:41.273167 osdx INFO[135346]: FRR daemons did not change Jun 24 12:36:41.298826 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 24 12:36:41.360195 osdx sudo[135434]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:36:41.391224 osdx systemd[1]: Starting ulogd2.service - Netfilter Userspace Logging Daemon... Jun 24 12:36:41.392498 osdx systemd[1]: ulogd2.service: Failed to parse PID from file /run/ulog/ulogd.pid: Invalid argument Jun 24 12:36:41.394864 osdx systemd[1]: Started ulogd2.service - Netfilter Userspace Logging Daemon. Jun 24 12:36:41.395202 osdx ulogd[135437]: registering plugin `NFCT' Jun 24 12:36:41.395266 osdx ulogd[135437]: registering plugin `IP2STR' Jun 24 12:36:41.395320 osdx ulogd[135437]: registering plugin `PRINTFLOW' Jun 24 12:36:41.395373 osdx ulogd[135437]: registering plugin `SYSLOG' Jun 24 12:36:41.395378 osdx ulogd[135437]: building new pluginstance stack: 'ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,sys1:SYSLOG' Jun 24 12:36:41.395431 osdx ulogd[135437]: NFCT plugin working in event mode Jun 24 12:36:41.395440 osdx OSDx_DUT0[135437]: Changing UID / GID Jun 24 12:36:41.395531 osdx OSDx_DUT0[135437]: initialization finished, entering main loop Jun 24 12:36:41.396540 osdx cfgd[1460]: [127378]Completed change to active configuration Jun 24 12:36:41.409586 osdx OSDxCLI[127378]: User 'admin' committed the configuration. Jun 24 12:36:41.428604 osdx OSDxCLI[127378]: User 'admin' left the configuration menu. Jun 24 12:36:42.389113 osdx OSDx_DUT0[135437]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 Jun 24 12:36:42.389135 osdx OSDx_DUT0[135437]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 Jun 24 12:36:42.492209 osdx OSDx_DUT0[135437]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 Jun 24 12:36:42.492236 osdx OSDx_DUT0[135437]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0
Note
If the identity is not provided, “ulogd” will be used by default.
Step 6: Modify the following configuration lines in DUT0 :
delete system conntrack logging identity
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.257 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.257/0.257/0.257/0.000 ms
Step 8: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
ulogd\[.*\]:.*\[((NEW)|(UPDATE)|(DESTROY))\].*SRC=192.168.100.2Show output
Jun 24 12:36:40.000203 osdx systemd-timedated[133272]: Changed local time to Tue 2025-06-24 12:36:40 UTC Jun 24 12:36:40.002105 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'set date 2025-06-24 12:36:40'. Jun 24 12:36:40.002836 osdx systemd-journald[1663]: Time jumped backwards, rotating. Jun 24 12:36:40.334115 osdx sudo[135313]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:36:40.338269 osdx systemd-journald[1663]: Runtime Journal (/run/log/journal/a9c8f5b24ca148a6b10e0198640df300) is 2.0M, max 15.3M, 13.3M free. Jun 24 12:36:40.338856 osdx systemd-journald[1663]: Received client request to rotate journal, rotating. Jun 24 12:36:40.338900 osdx systemd-journald[1663]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a9c8f5b24ca148a6b10e0198640df300. Jun 24 12:36:40.342678 osdx sudo[135312]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:36:40.348967 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'system journal clear'. Jun 24 12:36:40.601356 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'system coredump delete all'. Jun 24 12:36:40.819407 osdx OSDxCLI[127378]: User 'admin' entered the configuration menu. Jun 24 12:36:40.898639 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 192.168.100.1/24'. Jun 24 12:36:41.001635 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set system conntrack logging events all'. Jun 24 12:36:41.060086 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set system conntrack logging identity OSDx_DUT0'. Jun 24 12:36:41.181186 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'show working'. Jun 24 12:36:41.250142 osdx ubnt-cfgd[135338]: inactive Jun 24 12:36:41.273167 osdx INFO[135346]: FRR daemons did not change Jun 24 12:36:41.298826 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 24 12:36:41.360195 osdx sudo[135434]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:36:41.391224 osdx systemd[1]: Starting ulogd2.service - Netfilter Userspace Logging Daemon... Jun 24 12:36:41.392498 osdx systemd[1]: ulogd2.service: Failed to parse PID from file /run/ulog/ulogd.pid: Invalid argument Jun 24 12:36:41.394864 osdx systemd[1]: Started ulogd2.service - Netfilter Userspace Logging Daemon. Jun 24 12:36:41.395202 osdx ulogd[135437]: registering plugin `NFCT' Jun 24 12:36:41.395266 osdx ulogd[135437]: registering plugin `IP2STR' Jun 24 12:36:41.395320 osdx ulogd[135437]: registering plugin `PRINTFLOW' Jun 24 12:36:41.395373 osdx ulogd[135437]: registering plugin `SYSLOG' Jun 24 12:36:41.395378 osdx ulogd[135437]: building new pluginstance stack: 'ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,sys1:SYSLOG' Jun 24 12:36:41.395431 osdx ulogd[135437]: NFCT plugin working in event mode Jun 24 12:36:41.395440 osdx OSDx_DUT0[135437]: Changing UID / GID Jun 24 12:36:41.395531 osdx OSDx_DUT0[135437]: initialization finished, entering main loop Jun 24 12:36:41.396540 osdx cfgd[1460]: [127378]Completed change to active configuration Jun 24 12:36:41.409586 osdx OSDxCLI[127378]: User 'admin' committed the configuration. Jun 24 12:36:41.428604 osdx OSDxCLI[127378]: User 'admin' left the configuration menu. Jun 24 12:36:42.389113 osdx OSDx_DUT0[135437]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 Jun 24 12:36:42.389135 osdx OSDx_DUT0[135437]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 Jun 24 12:36:42.492209 osdx OSDx_DUT0[135437]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 Jun 24 12:36:42.492236 osdx OSDx_DUT0[135437]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 Jun 24 12:36:42.614765 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'system journal show | cat'. Jun 24 12:36:42.849300 osdx OSDxCLI[127378]: User 'admin' entered the configuration menu. Jun 24 12:36:42.930057 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'delete system conntrack logging identity'. Jun 24 12:36:43.002285 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'show changes'. Jun 24 12:36:43.101217 osdx ubnt-cfgd[135473]: inactive Jun 24 12:36:43.120836 osdx INFO[135479]: FRR daemons did not change Jun 24 12:36:43.127381 osdx sudo[135484]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:36:43.132093 osdx OSDx_DUT0[135437]: Terminal signal received, exiting Jun 24 12:36:43.132198 osdx systemd[1]: Stopping ulogd2.service - Netfilter Userspace Logging Daemon... Jun 24 12:36:43.132503 osdx systemd[1]: ulogd2.service: Deactivated successfully. Jun 24 12:36:43.132627 osdx systemd[1]: Stopped ulogd2.service - Netfilter Userspace Logging Daemon. Jun 24 12:36:43.155420 osdx systemd[1]: Starting ulogd2.service - Netfilter Userspace Logging Daemon... Jun 24 12:36:43.156100 osdx systemd[1]: Started ulogd2.service - Netfilter Userspace Logging Daemon. Jun 24 12:36:43.156187 osdx ulogd[135487]: registering plugin `NFCT' Jun 24 12:36:43.156414 osdx ulogd[135487]: registering plugin `IP2STR' Jun 24 12:36:43.156483 osdx ulogd[135487]: registering plugin `PRINTFLOW' Jun 24 12:36:43.156551 osdx ulogd[135487]: registering plugin `SYSLOG' Jun 24 12:36:43.156588 osdx ulogd[135487]: building new pluginstance stack: 'ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,sys1:SYSLOG' Jun 24 12:36:43.156657 osdx ulogd[135487]: NFCT plugin working in event mode Jun 24 12:36:43.156688 osdx ulogd[135487]: Changing UID / GID Jun 24 12:36:43.156776 osdx ulogd[135487]: initialization finished, entering main loop Jun 24 12:36:43.157848 osdx cfgd[1460]: [127378]Completed change to active configuration Jun 24 12:36:43.159378 osdx ulogd[135487]: [DESTROY] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=1 BYTES=84 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=1 BYTES=84 Jun 24 12:36:43.159437 osdx ulogd[135487]: [DESTROY] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=1 BYTES=84 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=1 BYTES=84 Jun 24 12:36:43.159975 osdx OSDxCLI[127378]: User 'admin' committed the configuration. Jun 24 12:36:43.191591 osdx OSDxCLI[127378]: User 'admin' left the configuration menu. Jun 24 12:36:43.340960 osdx ulogd[135487]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 Jun 24 12:36:43.340981 osdx ulogd[135487]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0
Policies logging
Description
Set a simple configuration with mark and label traffic policies,
send a ping command from one device to other
and check that default, mark and label fields appear when running system journal show.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces ethernet eth0 traffic policy in POLICY set system conntrack logging events all set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic label TEST set traffic policy POLICY rule 1 set connmark 33 set traffic policy POLICY rule 1 set label TEST
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.362 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.362/0.362/0.362/0.000 ms
Step 4: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 2 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.249 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=0.238 ms --- 192.168.100.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1018ms rtt min/avg/max/mdev = 0.238/0.243/0.249/0.005 ms
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
ulogd\[.*\]:.*\[((NEW)|(UPDATE)|(DESTROY))\].*MARK=33.*LABELS=TESTShow output
Jun 24 12:36:48.310027 osdx systemd-journald[1663]: Runtime Journal (/run/log/journal/a9c8f5b24ca148a6b10e0198640df300) is 2.1M, max 15.3M, 13.2M free. Jun 24 12:36:48.312123 osdx systemd-journald[1663]: Received client request to rotate journal, rotating. Jun 24 12:36:48.312162 osdx systemd-journald[1663]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a9c8f5b24ca148a6b10e0198640df300. Jun 24 12:36:48.315387 osdx sudo[135622]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:36:48.321801 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'system journal clear'. Jun 24 12:36:48.547902 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'system coredump delete all'. Jun 24 12:36:48.772687 osdx OSDxCLI[127378]: User 'admin' entered the configuration menu. Jun 24 12:36:48.895300 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 traffic policy in POLICY'. Jun 24 12:36:48.949496 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set traffic label TEST'. Jun 24 12:36:49.061668 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set traffic policy POLICY rule 1 set connmark 33'. Jun 24 12:36:49.130914 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set traffic policy POLICY rule 1 set label TEST'. Jun 24 12:36:49.221770 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 192.168.100.1/24'. Jun 24 12:36:49.285536 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set system conntrack logging events all'. Jun 24 12:36:49.412400 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'show working'. Jun 24 12:36:49.479873 osdx ubnt-cfgd[135651]: inactive Jun 24 12:36:49.508270 osdx INFO[135665]: FRR daemons did not change Jun 24 12:36:49.532127 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 24 12:36:49.584004 osdx sudo[135753]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:36:49.612634 osdx systemd[1]: Starting ulogd2.service - Netfilter Userspace Logging Daemon... Jun 24 12:36:49.613594 osdx systemd[1]: Started ulogd2.service - Netfilter Userspace Logging Daemon. Jun 24 12:36:49.614102 osdx ulogd[135756]: registering plugin `NFCT' Jun 24 12:36:49.614160 osdx ulogd[135756]: registering plugin `IP2STR' Jun 24 12:36:49.614211 osdx ulogd[135756]: registering plugin `PRINTFLOW' Jun 24 12:36:49.614268 osdx ulogd[135756]: registering plugin `SYSLOG' Jun 24 12:36:49.614272 osdx ulogd[135756]: building new pluginstance stack: 'ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,sys1:SYSLOG' Jun 24 12:36:49.614326 osdx ulogd[135756]: NFCT plugin working in event mode Jun 24 12:36:49.614339 osdx ulogd[135756]: Changing UID / GID Jun 24 12:36:49.614429 osdx ulogd[135756]: initialization finished, entering main loop Jun 24 12:36:49.622350 osdx sudo[135759]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:36:49.625829 osdx ulogd[135756]: Terminal signal received, exiting Jun 24 12:36:49.625865 osdx systemd[1]: Stopping ulogd2.service - Netfilter Userspace Logging Daemon... Jun 24 12:36:49.626107 osdx systemd[1]: ulogd2.service: Deactivated successfully. Jun 24 12:36:49.626220 osdx systemd[1]: Stopped ulogd2.service - Netfilter Userspace Logging Daemon. Jun 24 12:36:49.627138 osdx systemd[1]: Starting ulogd2.service - Netfilter Userspace Logging Daemon... Jun 24 12:36:49.628255 osdx systemd[1]: ulogd2.service: Failed to parse PID from file /run/ulog/ulogd.pid: Invalid argument Jun 24 12:36:49.628784 osdx ulogd[135762]: registering plugin `NFCT' Jun 24 12:36:49.628821 osdx ulogd[135762]: registering plugin `IP2STR' Jun 24 12:36:49.628861 osdx ulogd[135762]: registering plugin `PRINTFLOW' Jun 24 12:36:49.628915 osdx ulogd[135762]: registering plugin `SYSLOG' Jun 24 12:36:49.628918 osdx ulogd[135762]: building new pluginstance stack: 'ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,sys1:SYSLOG' Jun 24 12:36:49.628955 osdx ulogd[135762]: NFCT plugin working in event mode Jun 24 12:36:49.628961 osdx ulogd[135762]: Changing UID / GID Jun 24 12:36:49.629021 osdx ulogd[135762]: initialization finished, entering main loop Jun 24 12:36:49.648168 osdx systemd[1]: Started ulogd2.service - Netfilter Userspace Logging Daemon. Jun 24 12:36:49.817160 osdx cfgd[1460]: [127378]Completed change to active configuration Jun 24 12:36:49.831372 osdx OSDxCLI[127378]: User 'admin' committed the configuration. Jun 24 12:36:49.851338 osdx OSDxCLI[127378]: User 'admin' left the configuration menu. Jun 24 12:36:50.707850 osdx ulogd[135762]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 MARK=33 LABELS=TEST Jun 24 12:36:50.707874 osdx ulogd[135762]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 MARK=33 Jun 24 12:36:50.794429 osdx ulogd[135762]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 MARK=33 LABELS=TEST Jun 24 12:36:50.794452 osdx ulogd[135762]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 MARK=33
VRF logging
Description
Set a simple configuration with a vrf,
send a ping command from one device to other
and check that default and vrf fields appear when running system journal show.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces ethernet eth0 vrf RED set protocols vrf RED static route 0.0.0.0/0 next-hop 192.168.100.2 set system conntrack logging events all set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf RED
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.393 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.393/0.393/0.393/0.000 ms
Step 4: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.306 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.306/0.306/0.306/0.000 ms
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
ulogd\[.*\]:.*\[((NEW)|(UPDATE)|(DESTROY))\].*VRF=REDShow output
Jun 24 12:36:56.000232 osdx systemd-timedated[133272]: Changed local time to Tue 2025-06-24 12:36:56 UTC Jun 24 12:36:56.000964 osdx systemd-journald[1663]: Time jumped backwards, rotating. Jun 24 12:36:56.001851 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'set date 2025-06-24 12:36:56'. Jun 24 12:36:56.299602 osdx sudo[135965]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:36:56.303419 osdx systemd-journald[1663]: Runtime Journal (/run/log/journal/a9c8f5b24ca148a6b10e0198640df300) is 3.3M, max 15.3M, 12.0M free. Jun 24 12:36:56.304877 osdx systemd-journald[1663]: Received client request to rotate journal, rotating. Jun 24 12:36:56.304946 osdx systemd-journald[1663]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a9c8f5b24ca148a6b10e0198640df300. Jun 24 12:36:56.307519 osdx sudo[135964]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:36:56.315020 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'system journal clear'. Jun 24 12:36:56.538095 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'system coredump delete all'. Jun 24 12:36:56.785481 osdx OSDxCLI[127378]: User 'admin' entered the configuration menu. Jun 24 12:36:56.863040 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 vrf RED'. Jun 24 12:36:56.950673 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set protocols vrf RED static route 0.0.0.0/0 next-hop 192.168.100.2'. Jun 24 12:36:57.006622 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set system vrf RED'. Jun 24 12:36:57.110949 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 192.168.100.1/24'. Jun 24 12:36:57.172932 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set system conntrack logging events all'. Jun 24 12:36:57.287469 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'show working'. Jun 24 12:36:57.351989 osdx ubnt-cfgd[135992]: inactive Jun 24 12:36:57.376416 osdx INFO[136000]: FRR daemons did not change Jun 24 12:36:57.382703 osdx sudo[136005]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:36:57.388511 osdx (udev-worker)[136010]: RED: Could not disable auto negotiation, ignoring: Operation not supported Jun 24 12:36:57.388530 osdx (udev-worker)[136010]: Network interface NamePolicy= disabled on kernel command line. Jun 24 12:36:57.416897 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 24 12:36:57.472900 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 24 12:36:57.607427 osdx sudo[136163]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:36:57.633233 osdx systemd[1]: Starting ulogd2.service - Netfilter Userspace Logging Daemon... Jun 24 12:36:57.634254 osdx systemd[1]: Started ulogd2.service - Netfilter Userspace Logging Daemon. Jun 24 12:36:57.634585 osdx ulogd[136166]: registering plugin `NFCT' Jun 24 12:36:57.634817 osdx ulogd[136166]: registering plugin `IP2STR' Jun 24 12:36:57.634903 osdx ulogd[136166]: registering plugin `PRINTFLOW' Jun 24 12:36:57.634992 osdx ulogd[136166]: registering plugin `SYSLOG' Jun 24 12:36:57.635034 osdx ulogd[136166]: building new pluginstance stack: 'ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,sys1:SYSLOG' Jun 24 12:36:57.635116 osdx ulogd[136166]: NFCT plugin working in event mode Jun 24 12:36:57.635150 osdx ulogd[136166]: Changing UID / GID Jun 24 12:36:57.635240 osdx ulogd[136166]: initialization finished, entering main loop Jun 24 12:36:57.635861 osdx cfgd[1460]: [127378]Completed change to active configuration Jun 24 12:36:57.649365 osdx OSDxCLI[127378]: User 'admin' committed the configuration. Jun 24 12:36:57.666636 osdx OSDxCLI[127378]: User 'admin' left the configuration menu. Jun 24 12:36:58.676840 osdx ulogd[136166]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 VRF=RED PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 VRF=RED PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 Jun 24 12:36:58.676882 osdx ulogd[136166]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 VRF=RED PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 VRF=RED PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 Jun 24 12:36:58.776399 osdx ulogd[136166]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 VRF=RED PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 VRF=RED PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 Jun 24 12:36:58.776424 osdx ulogd[136166]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 VRF=RED PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 VRF=RED PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0
Not-Bypass logging
Description
Set a simple configuration with a firewall service,
send a ping command from one device to other
and check that default and bypass fields appear when running system journal show.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth1 address 10.215.168.64/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.238 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.238/0.238/0.238/0.000 ms
Step 3: Run command file copy http://10.215.168.1/~robot/test-performance.rules running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 129 100 129 0 0 43684 0 --:--:-- --:--:-- --:--:-- 64500
Step 4: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces ethernet eth0 traffic policy in POLICY set interfaces ethernet eth1 address 10.215.168.64/24 set service firewall FW mode inline queue FW_Q set service firewall FW ruleset file 'running://test-performance.rules' set service firewall FW stream bypass mark 129834765 set service firewall FW stream bypass mask 129834765 set service firewall FW stream bypass set-connmark set system conntrack logging events all set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY rule 1 action enqueue FW_Q set traffic queue FW_Q elements 1
Step 5: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.561 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.561/0.561/0.561/0.000 ms
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.334 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.334/0.334/0.334/0.000 ms
Step 8: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
ulogd\[.*\]:.*\[((NEW)|(UPDATE)|(DESTROY))\].*Sc: not-bypassShow output
Jun 24 12:37:03.000213 osdx systemd-timedated[133272]: Changed local time to Tue 2025-06-24 12:37:03 UTC Jun 24 12:37:03.001463 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'set date 2025-06-24 12:37:03'. Jun 24 12:37:03.003012 osdx systemd-journald[1663]: Time jumped backwards, rotating. Jun 24 12:37:03.330391 osdx sudo[136411]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:37:03.333738 osdx systemd-journald[1663]: Runtime Journal (/run/log/journal/a9c8f5b24ca148a6b10e0198640df300) is 2.1M, max 15.3M, 13.2M free. Jun 24 12:37:03.335013 osdx systemd-journald[1663]: Received client request to rotate journal, rotating. Jun 24 12:37:03.335065 osdx systemd-journald[1663]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a9c8f5b24ca148a6b10e0198640df300. Jun 24 12:37:03.337992 osdx sudo[136410]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:37:03.345906 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'system journal clear'. Jun 24 12:37:03.568291 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'system coredump delete all'. Jun 24 12:37:03.793553 osdx OSDxCLI[127378]: User 'admin' entered the configuration menu. Jun 24 12:37:03.929251 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set interfaces ethernet eth1 address 10.215.168.64/24'. Jun 24 12:37:04.004029 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'show working'. Jun 24 12:37:04.115214 osdx ubnt-cfgd[136434]: inactive Jun 24 12:37:04.137430 osdx INFO[136442]: FRR daemons did not change Jun 24 12:37:04.163028 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth1 Jun 24 12:37:04.219977 osdx cfgd[1460]: [127378]Completed change to active configuration Jun 24 12:37:04.231200 osdx OSDxCLI[127378]: User 'admin' committed the configuration. Jun 24 12:37:04.252995 osdx OSDxCLI[127378]: User 'admin' left the configuration menu. Jun 24 12:37:04.452962 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jun 24 12:37:04.550791 osdx sudo[136556]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:37:04.633278 osdx file_operation[136559]: using src url: http://10.215.168.1/~robot/test-performance.rules dst url: running:// Jun 24 12:37:04.665264 osdx sudo[136566]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:37:04.667734 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test-performance.rules running:// force'. Jun 24 12:37:04.843572 osdx OSDxCLI[127378]: User 'admin' entered the configuration menu. Jun 24 12:37:04.936323 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 traffic policy in POLICY'. Jun 24 12:37:05.033772 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set service firewall FW mode inline queue FW_Q'. Jun 24 12:37:05.100680 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set service firewall FW ruleset file running://test-performance.rules'. Jun 24 12:37:05.205661 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set service firewall FW stream bypass'. Jun 24 12:37:05.271503 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set service firewall FW stream bypass mark 129834765'. Jun 24 12:37:05.360845 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set service firewall FW stream bypass mask 129834765'. Jun 24 12:37:05.427818 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set service firewall FW stream bypass set-connmark'. Jun 24 12:37:05.540638 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set traffic queue FW_Q elements 1'. Jun 24 12:37:05.616794 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set traffic policy POLICY rule 1 action enqueue FW_Q'. Jun 24 12:37:05.743150 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 192.168.100.1/24'. Jun 24 12:37:05.804597 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set system conntrack logging events all'. Jun 24 12:37:05.939635 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'show working'. Jun 24 12:37:06.028664 osdx ubnt-cfgd[136593]: inactive Jun 24 12:37:06.070380 osdx INFO[136610]: FRR daemons did not change Jun 24 12:37:06.095019 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 24 12:37:06.153802 osdx sudo[136698]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:37:06.195366 osdx systemd[1]: Starting ulogd2.service - Netfilter Userspace Logging Daemon... Jun 24 12:37:06.196134 osdx systemd[1]: ulogd2.service: Failed to parse PID from file /run/ulog/ulogd.pid: Invalid argument Jun 24 12:37:06.196814 osdx ulogd[136701]: registering plugin `NFCT' Jun 24 12:37:06.197002 osdx ulogd[136701]: registering plugin `IP2STR' Jun 24 12:37:06.197077 osdx ulogd[136701]: registering plugin `PRINTFLOW' Jun 24 12:37:06.197154 osdx ulogd[136701]: registering plugin `SYSLOG' Jun 24 12:37:06.197185 osdx ulogd[136701]: building new pluginstance stack: 'ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,sys1:SYSLOG' Jun 24 12:37:06.197259 osdx ulogd[136701]: NFCT plugin working in event mode Jun 24 12:37:06.197295 osdx ulogd[136701]: Changing UID / GID Jun 24 12:37:06.197401 osdx ulogd[136701]: initialization finished, entering main loop Jun 24 12:37:06.211086 osdx systemd[1]: Started ulogd2.service - Netfilter Userspace Logging Daemon. Jun 24 12:37:06.496333 osdx systemd[1]: Reloading. Jun 24 12:37:06.539021 osdx systemd-sysv-generator[136737]: stat() failed on /etc/init.d/README, ignoring: No such file or directory Jun 24 12:37:06.663419 osdx systemd[1]: Starting logrotate.service - Rotate log files... Jun 24 12:37:06.668059 osdx systemd[1]: Created slice system-suricata.slice - Slice /system/suricata. Jun 24 12:37:06.668984 osdx systemd[1]: Starting suricata@FW.service - Suricata client "FW" service... Jun 24 12:37:06.703204 osdx systemd[1]: logrotate.service: Deactivated successfully. Jun 24 12:37:06.703474 osdx systemd[1]: Finished logrotate.service - Rotate log files. Jun 24 12:37:06.962555 osdx systemd[1]: Started suricata@FW.service - Suricata client "FW" service. Jun 24 12:37:07.140837 osdx INFO[136720]: Rules successfully loaded Jun 24 12:37:07.151258 osdx sudo[136763]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:37:07.156275 osdx ulogd[136701]: Terminal signal received, exiting Jun 24 12:37:07.156342 osdx systemd[1]: Stopping ulogd2.service - Netfilter Userspace Logging Daemon... Jun 24 12:37:07.156876 osdx systemd[1]: ulogd2.service: Deactivated successfully. Jun 24 12:37:07.156991 osdx systemd[1]: Stopped ulogd2.service - Netfilter Userspace Logging Daemon. Jun 24 12:37:07.183394 osdx systemd[1]: Starting ulogd2.service - Netfilter Userspace Logging Daemon... Jun 24 12:37:07.184236 osdx systemd[1]: Started ulogd2.service - Netfilter Userspace Logging Daemon. Jun 24 12:37:07.184327 osdx ulogd[136766]: registering plugin `NFCT' Jun 24 12:37:07.184784 osdx ulogd[136766]: registering plugin `IP2STR' Jun 24 12:37:07.184913 osdx ulogd[136766]: registering plugin `PRINTFLOW' Jun 24 12:37:07.185008 osdx ulogd[136766]: registering plugin `SYSLOG' Jun 24 12:37:07.185046 osdx ulogd[136766]: building new pluginstance stack: 'ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,sys1:SYSLOG' Jun 24 12:37:07.185127 osdx ulogd[136766]: NFCT plugin working in event mode Jun 24 12:37:07.185166 osdx ulogd[136766]: Changing UID / GID Jun 24 12:37:07.185273 osdx ulogd[136766]: initialization finished, entering main loop Jun 24 12:37:07.186006 osdx cfgd[1460]: [127378]Completed change to active configuration Jun 24 12:37:07.198064 osdx OSDxCLI[127378]: User 'admin' committed the configuration. Jun 24 12:37:07.229451 osdx OSDxCLI[127378]: User 'admin' left the configuration menu. Jun 24 12:37:08.126743 osdx ulogd[136766]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 (Sc: not-bypass) Jun 24 12:37:08.126763 osdx ulogd[136766]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 (Sc: not-bypass) Jun 24 12:37:08.226914 osdx ulogd[136766]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 (Sc: not-bypass) Jun 24 12:37:08.226930 osdx ulogd[136766]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 (Sc: not-bypass)
Offload flag
Description
Set a simple configuration with DUT0 as an intermediary between DUT1
and DUT2. Initiate a ssh connection from DUT1 to DUT2
and check that default and offload fields appear when running system journal show.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces ethernet eth1 address 192.168.200.1/24 set system conntrack logging events all set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 192.168.200.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.200.1 set service ssh set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.383 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.383/0.383/0.383/0.000 ms
Step 5: Ping IP address 192.168.200.1 from DUT2:
admin@DUT2$ ping 192.168.200.1 count 1 size 56 timeout 1Show output
PING 192.168.200.1 (192.168.200.1) 56(84) bytes of data. 64 bytes from 192.168.200.1: icmp_seq=1 ttl=64 time=0.341 ms --- 192.168.200.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.341/0.341/0.341/0.000 ms
Step 6: Init an SSH connection from DUT1 to IP address 192.168.200.2 with the user admin:
admin@DUT1$ ssh admin@192.168.200.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '192.168.200.2' (ECDSA) to the list of known hosts. admin@192.168.200.2's password: Welcome to Teldat OSDx v4.2.6.1 This system includes free software. Contact Teldat for licenses information and source code. Last login: Tue Jun 24 12:05:35 2025 from 10.0.0.2 admin@osdx$
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
ulogd\[.*\]:.*\[((NEW)|(UPDATE)|(DESTROY))\].*\[OFFLOAD\]Show output
Jun 24 12:37:15.298933 osdx systemd-journald[1663]: Runtime Journal (/run/log/journal/a9c8f5b24ca148a6b10e0198640df300) is 2.1M, max 15.3M, 13.1M free. Jun 24 12:37:15.300689 osdx systemd-journald[1663]: Received client request to rotate journal, rotating. Jun 24 12:37:15.300758 osdx systemd-journald[1663]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a9c8f5b24ca148a6b10e0198640df300. Jun 24 12:37:15.302969 osdx sudo[137019]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:37:15.309086 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'system journal clear'. Jun 24 12:37:15.528760 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'system coredump delete all'. Jun 24 12:37:15.860995 osdx OSDxCLI[127378]: User 'admin' entered the configuration menu. Jun 24 12:37:15.954187 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set interfaces ethernet eth1 address 192.168.200.1/24'. Jun 24 12:37:16.030788 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 192.168.100.1/24'. Jun 24 12:37:16.128819 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set system conntrack logging events all'. Jun 24 12:37:16.200587 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'show working'. Jun 24 12:37:16.303004 osdx ubnt-cfgd[137045]: inactive Jun 24 12:37:16.326684 osdx INFO[137055]: FRR daemons did not change Jun 24 12:37:16.348693 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth1 Jun 24 12:37:16.408725 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 24 12:37:16.466742 osdx sudo[137218]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:37:16.493142 osdx systemd[1]: Starting ulogd2.service - Netfilter Userspace Logging Daemon... Jun 24 12:37:16.493800 osdx systemd[1]: Started ulogd2.service - Netfilter Userspace Logging Daemon. Jun 24 12:37:16.493849 osdx ulogd[137221]: registering plugin `NFCT' Jun 24 12:37:16.493886 osdx ulogd[137221]: registering plugin `IP2STR' Jun 24 12:37:16.493920 osdx ulogd[137221]: registering plugin `PRINTFLOW' Jun 24 12:37:16.493963 osdx ulogd[137221]: registering plugin `SYSLOG' Jun 24 12:37:16.493966 osdx ulogd[137221]: building new pluginstance stack: 'ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,sys1:SYSLOG' Jun 24 12:37:16.494006 osdx ulogd[137221]: NFCT plugin working in event mode Jun 24 12:37:16.494012 osdx ulogd[137221]: Changing UID / GID Jun 24 12:37:16.494077 osdx ulogd[137221]: initialization finished, entering main loop Jun 24 12:37:16.495615 osdx cfgd[1460]: [127378]Completed change to active configuration Jun 24 12:37:16.509963 osdx OSDxCLI[127378]: User 'admin' committed the configuration. Jun 24 12:37:16.531502 osdx OSDxCLI[127378]: User 'admin' left the configuration menu. Jun 24 12:37:18.253635 osdx ulogd[137221]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 Jun 24 12:37:18.253657 osdx ulogd[137221]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 Jun 24 12:37:18.339255 osdx ulogd[137221]: [NEW] ORIG: SRC=192.168.200.2 DST=192.168.200.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.200.1 DST=192.168.200.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 Jun 24 12:37:18.339275 osdx ulogd[137221]: [UPDATE] ORIG: SRC=192.168.200.2 DST=192.168.200.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.200.1 DST=192.168.200.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 Jun 24 12:37:18.418602 osdx ulogd[137221]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.200.2 PROTO=TCP SPT=54328 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.200.2 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=54328 PKTS=0 BYTES=0 Jun 24 12:37:18.418806 osdx ulogd[137221]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.200.2 PROTO=TCP SPT=54328 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.200.2 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=54328 PKTS=0 BYTES=0 Jun 24 12:37:18.418820 osdx ulogd[137221]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.200.2 PROTO=TCP SPT=54328 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.200.2 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=54328 PKTS=0 BYTES=0 [OFFLOAD] Jun 24 12:37:18.696930 osdx ulogd[137221]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.200.2 PROTO=TCP SPT=54328 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.200.2 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=54328 PKTS=0 BYTES=0 Jun 24 12:37:18.696958 osdx ulogd[137221]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.200.2 PROTO=TCP SPT=54328 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.200.2 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=54328 PKTS=0 BYTES=0 [OFFLOAD] Jun 24 12:37:18.698747 osdx ulogd[137221]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.200.2 PROTO=TCP SPT=54328 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.200.2 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=54328 PKTS=0 BYTES=0 Jun 24 12:37:18.698857 osdx ulogd[137221]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.200.2 PROTO=TCP SPT=54328 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.200.2 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=54328 PKTS=0 BYTES=0 [OFFLOAD]
App detect logging
Description
Set a simple configuration enabling app detection in system conntrack, send a ping command from DUT1
and check app detect field appears when running system journal show. After that, enabling app detection
in system conntrack for http host, try to copy index.html from a http server
and check that the app detect field appears and belongs to the http server when running system journal show.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set system conntrack app-detect set system conntrack logging events all set system conntrack timeout icmp 1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.424 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.424/0.424/0.424/0.000 ms
Step 4: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 3 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.266 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=0.271 ms 64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=0.274 ms --- 192.168.100.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2046ms rtt min/avg/max/mdev = 0.266/0.270/0.274/0.003 ms
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
ulogd\[.*\]:.*\[NEW\].*APPDETECT\[L3:1\]Show output
Jun 24 12:37:23.000207 osdx systemd-timedated[133272]: Changed local time to Tue 2025-06-24 12:37:23 UTC Jun 24 12:37:23.001613 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'set date 2025-06-24 12:37:23'. Jun 24 12:37:23.003552 osdx systemd-journald[1663]: Time jumped backwards, rotating. Jun 24 12:37:23.380517 osdx sudo[137411]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:37:23.384451 osdx systemd-journald[1663]: Runtime Journal (/run/log/journal/a9c8f5b24ca148a6b10e0198640df300) is 2.0M, max 15.3M, 13.3M free. Jun 24 12:37:23.387564 osdx systemd-journald[1663]: Received client request to rotate journal, rotating. Jun 24 12:37:23.387623 osdx systemd-journald[1663]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a9c8f5b24ca148a6b10e0198640df300. Jun 24 12:37:23.388771 osdx sudo[137410]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:37:23.395069 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'system journal clear'. Jun 24 12:37:23.628234 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'system coredump delete all'. Jun 24 12:37:23.890478 osdx OSDxCLI[127378]: User 'admin' entered the configuration menu. Jun 24 12:37:23.954887 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set system conntrack app-detect'. Jun 24 12:37:24.054351 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set system conntrack timeout icmp 1'. Jun 24 12:37:24.200116 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 192.168.100.1/24'. Jun 24 12:37:24.306597 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set system conntrack logging events all'. Jun 24 12:37:24.392036 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'show working'. Jun 24 12:37:24.498023 osdx ubnt-cfgd[137437]: inactive Jun 24 12:37:24.519613 osdx INFO[137445]: FRR daemons did not change Jun 24 12:37:24.691558 osdx kernel: app-detect: module init Jun 24 12:37:24.691616 osdx kernel: app-detect: registered: sysctl net.appdetect Jun 24 12:37:24.691630 osdx kernel: app-detect: expression init Jun 24 12:37:24.691643 osdx kernel: app-detect: appid cache initialized Jun 24 12:37:24.691655 osdx kernel: app-detect: appid cache changes counter initialized Jun 24 12:37:24.697001 osdx modulelauncher[137448]: AppDetect: no change in application dictionaries, thus nothing more to do Jun 24 12:37:24.719561 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 24 12:37:24.780250 osdx sudo[137555]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:37:24.803793 osdx systemd[1]: Starting ulogd2.service - Netfilter Userspace Logging Daemon... Jun 24 12:37:24.804584 osdx systemd[1]: Started ulogd2.service - Netfilter Userspace Logging Daemon. Jun 24 12:37:24.805053 osdx ulogd[137558]: registering plugin `NFCT' Jun 24 12:37:24.805295 osdx ulogd[137558]: registering plugin `IP2STR' Jun 24 12:37:24.805413 osdx ulogd[137558]: registering plugin `PRINTFLOW' Jun 24 12:37:24.805508 osdx ulogd[137558]: registering plugin `SYSLOG' Jun 24 12:37:24.805547 osdx ulogd[137558]: building new pluginstance stack: 'ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,sys1:SYSLOG' Jun 24 12:37:24.805634 osdx ulogd[137558]: NFCT plugin working in event mode Jun 24 12:37:24.805679 osdx ulogd[137558]: Changing UID / GID Jun 24 12:37:24.805734 osdx cfgd[1460]: [127378]Completed change to active configuration Jun 24 12:37:24.805795 osdx ulogd[137558]: initialization finished, entering main loop Jun 24 12:37:24.818439 osdx OSDxCLI[127378]: User 'admin' committed the configuration. Jun 24 12:37:24.846643 osdx OSDxCLI[127378]: User 'admin' left the configuration menu. Jun 24 12:37:25.747772 osdx ulogd[137558]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 APPDETECT[L3:1] Jun 24 12:37:25.747794 osdx ulogd[137558]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 APPDETECT[L3:1] Jun 24 12:37:25.865491 osdx ulogd[137558]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 APPDETECT[L3:1] Jun 24 12:37:25.865509 osdx ulogd[137558]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 APPDETECT[L3:1] Jun 24 12:37:26.887819 osdx ulogd[137558]: [DESTROY] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=1 BYTES=84 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=1 BYTES=84 APPDETECT[L3:1] Jun 24 12:37:26.887836 osdx ulogd[137558]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 APPDETECT[L3:1] Jun 24 12:37:26.887848 osdx ulogd[137558]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 APPDETECT[L3:1] Jun 24 12:37:27.911825 osdx ulogd[137558]: [DESTROY] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=1 BYTES=84 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=1 BYTES=84 APPDETECT[L3:1] Jun 24 12:37:27.911841 osdx ulogd[137558]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 APPDETECT[L3:1] Jun 24 12:37:27.911852 osdx ulogd[137558]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 APPDETECT[L3:1]
Step 6: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
ulogd\[.*\]:.*\[UPDATE\].*APPDETECT\[L3:1\]Show output
Jun 24 12:37:23.000207 osdx systemd-timedated[133272]: Changed local time to Tue 2025-06-24 12:37:23 UTC Jun 24 12:37:23.001613 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'set date 2025-06-24 12:37:23'. Jun 24 12:37:23.003552 osdx systemd-journald[1663]: Time jumped backwards, rotating. Jun 24 12:37:23.380517 osdx sudo[137411]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:37:23.384451 osdx systemd-journald[1663]: Runtime Journal (/run/log/journal/a9c8f5b24ca148a6b10e0198640df300) is 2.0M, max 15.3M, 13.3M free. Jun 24 12:37:23.387564 osdx systemd-journald[1663]: Received client request to rotate journal, rotating. Jun 24 12:37:23.387623 osdx systemd-journald[1663]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a9c8f5b24ca148a6b10e0198640df300. Jun 24 12:37:23.388771 osdx sudo[137410]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:37:23.395069 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'system journal clear'. Jun 24 12:37:23.628234 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'system coredump delete all'. Jun 24 12:37:23.890478 osdx OSDxCLI[127378]: User 'admin' entered the configuration menu. Jun 24 12:37:23.954887 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set system conntrack app-detect'. Jun 24 12:37:24.054351 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set system conntrack timeout icmp 1'. Jun 24 12:37:24.200116 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 192.168.100.1/24'. Jun 24 12:37:24.306597 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set system conntrack logging events all'. Jun 24 12:37:24.392036 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'show working'. Jun 24 12:37:24.498023 osdx ubnt-cfgd[137437]: inactive Jun 24 12:37:24.519613 osdx INFO[137445]: FRR daemons did not change Jun 24 12:37:24.691558 osdx kernel: app-detect: module init Jun 24 12:37:24.691616 osdx kernel: app-detect: registered: sysctl net.appdetect Jun 24 12:37:24.691630 osdx kernel: app-detect: expression init Jun 24 12:37:24.691643 osdx kernel: app-detect: appid cache initialized Jun 24 12:37:24.691655 osdx kernel: app-detect: appid cache changes counter initialized Jun 24 12:37:24.697001 osdx modulelauncher[137448]: AppDetect: no change in application dictionaries, thus nothing more to do Jun 24 12:37:24.719561 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 24 12:37:24.780250 osdx sudo[137555]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:37:24.803793 osdx systemd[1]: Starting ulogd2.service - Netfilter Userspace Logging Daemon... Jun 24 12:37:24.804584 osdx systemd[1]: Started ulogd2.service - Netfilter Userspace Logging Daemon. Jun 24 12:37:24.805053 osdx ulogd[137558]: registering plugin `NFCT' Jun 24 12:37:24.805295 osdx ulogd[137558]: registering plugin `IP2STR' Jun 24 12:37:24.805413 osdx ulogd[137558]: registering plugin `PRINTFLOW' Jun 24 12:37:24.805508 osdx ulogd[137558]: registering plugin `SYSLOG' Jun 24 12:37:24.805547 osdx ulogd[137558]: building new pluginstance stack: 'ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,sys1:SYSLOG' Jun 24 12:37:24.805634 osdx ulogd[137558]: NFCT plugin working in event mode Jun 24 12:37:24.805679 osdx ulogd[137558]: Changing UID / GID Jun 24 12:37:24.805734 osdx cfgd[1460]: [127378]Completed change to active configuration Jun 24 12:37:24.805795 osdx ulogd[137558]: initialization finished, entering main loop Jun 24 12:37:24.818439 osdx OSDxCLI[127378]: User 'admin' committed the configuration. Jun 24 12:37:24.846643 osdx OSDxCLI[127378]: User 'admin' left the configuration menu. Jun 24 12:37:25.747772 osdx ulogd[137558]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 APPDETECT[L3:1] Jun 24 12:37:25.747794 osdx ulogd[137558]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 APPDETECT[L3:1] Jun 24 12:37:25.865491 osdx ulogd[137558]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 APPDETECT[L3:1] Jun 24 12:37:25.865509 osdx ulogd[137558]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 APPDETECT[L3:1] Jun 24 12:37:26.887819 osdx ulogd[137558]: [DESTROY] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=1 BYTES=84 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=1 BYTES=84 APPDETECT[L3:1] Jun 24 12:37:26.887836 osdx ulogd[137558]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 APPDETECT[L3:1] Jun 24 12:37:26.887848 osdx ulogd[137558]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 APPDETECT[L3:1] Jun 24 12:37:27.911825 osdx ulogd[137558]: [DESTROY] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=1 BYTES=84 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=1 BYTES=84 APPDETECT[L3:1] Jun 24 12:37:27.911841 osdx ulogd[137558]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 APPDETECT[L3:1] Jun 24 12:37:27.911852 osdx ulogd[137558]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 APPDETECT[L3:1] Jun 24 12:37:28.026829 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'system journal show | cat'.
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
ulogd\[.*\]:.*\[DESTROY\].*APPDETECT\[L3:1\]Show output
Jun 24 12:37:23.000207 osdx systemd-timedated[133272]: Changed local time to Tue 2025-06-24 12:37:23 UTC Jun 24 12:37:23.001613 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'set date 2025-06-24 12:37:23'. Jun 24 12:37:23.003552 osdx systemd-journald[1663]: Time jumped backwards, rotating. Jun 24 12:37:23.380517 osdx sudo[137411]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:37:23.384451 osdx systemd-journald[1663]: Runtime Journal (/run/log/journal/a9c8f5b24ca148a6b10e0198640df300) is 2.0M, max 15.3M, 13.3M free. Jun 24 12:37:23.387564 osdx systemd-journald[1663]: Received client request to rotate journal, rotating. Jun 24 12:37:23.387623 osdx systemd-journald[1663]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a9c8f5b24ca148a6b10e0198640df300. Jun 24 12:37:23.388771 osdx sudo[137410]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:37:23.395069 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'system journal clear'. Jun 24 12:37:23.628234 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'system coredump delete all'. Jun 24 12:37:23.890478 osdx OSDxCLI[127378]: User 'admin' entered the configuration menu. Jun 24 12:37:23.954887 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set system conntrack app-detect'. Jun 24 12:37:24.054351 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set system conntrack timeout icmp 1'. Jun 24 12:37:24.200116 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 192.168.100.1/24'. Jun 24 12:37:24.306597 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set system conntrack logging events all'. Jun 24 12:37:24.392036 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'show working'. Jun 24 12:37:24.498023 osdx ubnt-cfgd[137437]: inactive Jun 24 12:37:24.519613 osdx INFO[137445]: FRR daemons did not change Jun 24 12:37:24.691558 osdx kernel: app-detect: module init Jun 24 12:37:24.691616 osdx kernel: app-detect: registered: sysctl net.appdetect Jun 24 12:37:24.691630 osdx kernel: app-detect: expression init Jun 24 12:37:24.691643 osdx kernel: app-detect: appid cache initialized Jun 24 12:37:24.691655 osdx kernel: app-detect: appid cache changes counter initialized Jun 24 12:37:24.697001 osdx modulelauncher[137448]: AppDetect: no change in application dictionaries, thus nothing more to do Jun 24 12:37:24.719561 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 24 12:37:24.780250 osdx sudo[137555]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:37:24.803793 osdx systemd[1]: Starting ulogd2.service - Netfilter Userspace Logging Daemon... Jun 24 12:37:24.804584 osdx systemd[1]: Started ulogd2.service - Netfilter Userspace Logging Daemon. Jun 24 12:37:24.805053 osdx ulogd[137558]: registering plugin `NFCT' Jun 24 12:37:24.805295 osdx ulogd[137558]: registering plugin `IP2STR' Jun 24 12:37:24.805413 osdx ulogd[137558]: registering plugin `PRINTFLOW' Jun 24 12:37:24.805508 osdx ulogd[137558]: registering plugin `SYSLOG' Jun 24 12:37:24.805547 osdx ulogd[137558]: building new pluginstance stack: 'ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,sys1:SYSLOG' Jun 24 12:37:24.805634 osdx ulogd[137558]: NFCT plugin working in event mode Jun 24 12:37:24.805679 osdx ulogd[137558]: Changing UID / GID Jun 24 12:37:24.805734 osdx cfgd[1460]: [127378]Completed change to active configuration Jun 24 12:37:24.805795 osdx ulogd[137558]: initialization finished, entering main loop Jun 24 12:37:24.818439 osdx OSDxCLI[127378]: User 'admin' committed the configuration. Jun 24 12:37:24.846643 osdx OSDxCLI[127378]: User 'admin' left the configuration menu. Jun 24 12:37:25.747772 osdx ulogd[137558]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 APPDETECT[L3:1] Jun 24 12:37:25.747794 osdx ulogd[137558]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 APPDETECT[L3:1] Jun 24 12:37:25.865491 osdx ulogd[137558]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 APPDETECT[L3:1] Jun 24 12:37:25.865509 osdx ulogd[137558]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 APPDETECT[L3:1] Jun 24 12:37:26.887819 osdx ulogd[137558]: [DESTROY] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=1 BYTES=84 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=1 BYTES=84 APPDETECT[L3:1] Jun 24 12:37:26.887836 osdx ulogd[137558]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 APPDETECT[L3:1] Jun 24 12:37:26.887848 osdx ulogd[137558]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 APPDETECT[L3:1] Jun 24 12:37:27.911825 osdx ulogd[137558]: [DESTROY] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=1 BYTES=84 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=1 BYTES=84 APPDETECT[L3:1] Jun 24 12:37:27.911841 osdx ulogd[137558]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 APPDETECT[L3:1] Jun 24 12:37:27.911852 osdx ulogd[137558]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 APPDETECT[L3:1] Jun 24 12:37:28.026829 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'system journal show | cat'. Jun 24 12:37:28.151518 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'system journal show | cat'.
Step 8: Modify the following configuration lines in DUT0 :
set interfaces ethernet eth1 address 10.215.168.64/24 set system conntrack app-detect http-host
Step 9: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.228 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.228/0.228/0.228/0.000 ms
Step 10: Run command file copy http://10.215.168.1/~robot/ running://index.html at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 972 0 972 0 0 421k 0 --:--:-- --:--:-- --:--:-- 474k
Step 11: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
ulogd\[.*\]:.*\[((NEW)|(UPDATE)|(DESTROY))\].*APPDETECT\[L4:80 http-host:10.215.168.1\]Show output
Jun 24 12:37:23.000207 osdx systemd-timedated[133272]: Changed local time to Tue 2025-06-24 12:37:23 UTC Jun 24 12:37:23.001613 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'set date 2025-06-24 12:37:23'. Jun 24 12:37:23.003552 osdx systemd-journald[1663]: Time jumped backwards, rotating. Jun 24 12:37:23.380517 osdx sudo[137411]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:37:23.384451 osdx systemd-journald[1663]: Runtime Journal (/run/log/journal/a9c8f5b24ca148a6b10e0198640df300) is 2.0M, max 15.3M, 13.3M free. Jun 24 12:37:23.387564 osdx systemd-journald[1663]: Received client request to rotate journal, rotating. Jun 24 12:37:23.387623 osdx systemd-journald[1663]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a9c8f5b24ca148a6b10e0198640df300. Jun 24 12:37:23.388771 osdx sudo[137410]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:37:23.395069 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'system journal clear'. Jun 24 12:37:23.628234 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'system coredump delete all'. Jun 24 12:37:23.890478 osdx OSDxCLI[127378]: User 'admin' entered the configuration menu. Jun 24 12:37:23.954887 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set system conntrack app-detect'. Jun 24 12:37:24.054351 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set system conntrack timeout icmp 1'. Jun 24 12:37:24.200116 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 192.168.100.1/24'. Jun 24 12:37:24.306597 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set system conntrack logging events all'. Jun 24 12:37:24.392036 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'show working'. Jun 24 12:37:24.498023 osdx ubnt-cfgd[137437]: inactive Jun 24 12:37:24.519613 osdx INFO[137445]: FRR daemons did not change Jun 24 12:37:24.691558 osdx kernel: app-detect: module init Jun 24 12:37:24.691616 osdx kernel: app-detect: registered: sysctl net.appdetect Jun 24 12:37:24.691630 osdx kernel: app-detect: expression init Jun 24 12:37:24.691643 osdx kernel: app-detect: appid cache initialized Jun 24 12:37:24.691655 osdx kernel: app-detect: appid cache changes counter initialized Jun 24 12:37:24.697001 osdx modulelauncher[137448]: AppDetect: no change in application dictionaries, thus nothing more to do Jun 24 12:37:24.719561 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 24 12:37:24.780250 osdx sudo[137555]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:37:24.803793 osdx systemd[1]: Starting ulogd2.service - Netfilter Userspace Logging Daemon... Jun 24 12:37:24.804584 osdx systemd[1]: Started ulogd2.service - Netfilter Userspace Logging Daemon. Jun 24 12:37:24.805053 osdx ulogd[137558]: registering plugin `NFCT' Jun 24 12:37:24.805295 osdx ulogd[137558]: registering plugin `IP2STR' Jun 24 12:37:24.805413 osdx ulogd[137558]: registering plugin `PRINTFLOW' Jun 24 12:37:24.805508 osdx ulogd[137558]: registering plugin `SYSLOG' Jun 24 12:37:24.805547 osdx ulogd[137558]: building new pluginstance stack: 'ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,sys1:SYSLOG' Jun 24 12:37:24.805634 osdx ulogd[137558]: NFCT plugin working in event mode Jun 24 12:37:24.805679 osdx ulogd[137558]: Changing UID / GID Jun 24 12:37:24.805734 osdx cfgd[1460]: [127378]Completed change to active configuration Jun 24 12:37:24.805795 osdx ulogd[137558]: initialization finished, entering main loop Jun 24 12:37:24.818439 osdx OSDxCLI[127378]: User 'admin' committed the configuration. Jun 24 12:37:24.846643 osdx OSDxCLI[127378]: User 'admin' left the configuration menu. Jun 24 12:37:25.747772 osdx ulogd[137558]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 APPDETECT[L3:1] Jun 24 12:37:25.747794 osdx ulogd[137558]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 APPDETECT[L3:1] Jun 24 12:37:25.865491 osdx ulogd[137558]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 APPDETECT[L3:1] Jun 24 12:37:25.865509 osdx ulogd[137558]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 APPDETECT[L3:1] Jun 24 12:37:26.887819 osdx ulogd[137558]: [DESTROY] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=1 BYTES=84 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=1 BYTES=84 APPDETECT[L3:1] Jun 24 12:37:26.887836 osdx ulogd[137558]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 APPDETECT[L3:1] Jun 24 12:37:26.887848 osdx ulogd[137558]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 APPDETECT[L3:1] Jun 24 12:37:27.911825 osdx ulogd[137558]: [DESTROY] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=1 BYTES=84 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=1 BYTES=84 APPDETECT[L3:1] Jun 24 12:37:27.911841 osdx ulogd[137558]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 APPDETECT[L3:1] Jun 24 12:37:27.911852 osdx ulogd[137558]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 APPDETECT[L3:1] Jun 24 12:37:28.026829 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'system journal show | cat'. Jun 24 12:37:28.151518 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'system journal show | cat'. Jun 24 12:37:28.274954 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'system journal show | cat'. Jun 24 12:37:28.422416 osdx OSDxCLI[127378]: User 'admin' entered the configuration menu. Jun 24 12:37:28.514912 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set interfaces ethernet eth1 address 10.215.168.64/24'. Jun 24 12:37:28.607158 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Jun 24 12:37:28.692825 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'show changes'. Jun 24 12:37:28.805000 osdx ubnt-cfgd[137609]: inactive Jun 24 12:37:28.827702 osdx INFO[137617]: FRR daemons did not change Jun 24 12:37:28.867557 osdx kernel: app-detect: expression destroy Jun 24 12:37:28.875556 osdx kernel: app-detect: expression init Jun 24 12:37:28.875592 osdx kernel: app-detect: appid cache initialized Jun 24 12:37:28.875602 osdx kernel: app-detect: appid cache changes counter initialized Jun 24 12:37:28.879508 osdx modulelauncher[137620]: AppDetect: no change in application dictionaries, thus nothing more to do Jun 24 12:37:28.899557 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth1 Jun 24 12:37:28.950759 osdx cfgd[1460]: [127378]Completed change to active configuration Jun 24 12:37:28.964190 osdx ulogd[137558]: [DESTROY] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=1 BYTES=84 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=1 BYTES=84 APPDETECT[L3:1] Jun 24 12:37:28.964477 osdx ulogd[137558]: [DESTROY] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=1 BYTES=84 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=1 BYTES=84 APPDETECT[L3:1] Jun 24 12:37:28.965162 osdx OSDxCLI[127378]: User 'admin' committed the configuration. Jun 24 12:37:28.988620 osdx OSDxCLI[127378]: User 'admin' left the configuration menu. Jun 24 12:37:29.152781 osdx ulogd[137558]: [NEW] ORIG: SRC=10.215.168.64 DST=10.215.168.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=10.215.168.1 DST=10.215.168.64 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 APPDETECT[L3:1] Jun 24 12:37:29.153011 osdx ulogd[137558]: [UPDATE] ORIG: SRC=10.215.168.64 DST=10.215.168.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=10.215.168.1 DST=10.215.168.64 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 APPDETECT[L3:1] Jun 24 12:37:29.154999 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jun 24 12:37:29.228151 osdx sudo[137744]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:37:29.294877 osdx file_operation[137747]: using src url: http://10.215.168.1/~robot/ dst url: running://index.html Jun 24 12:37:29.297001 osdx ulogd[137558]: [NEW] ORIG: SRC=10.215.168.64 DST=10.215.168.1 PROTO=TCP SPT=55602 DPT=80 PKTS=0 BYTES=0 , REPLY: SRC=10.215.168.1 DST=10.215.168.64 PROTO=TCP SPT=80 DPT=55602 PKTS=0 BYTES=0 APPDETECT[L4:80] Jun 24 12:37:29.297207 osdx ulogd[137558]: [UPDATE] ORIG: SRC=10.215.168.64 DST=10.215.168.1 PROTO=TCP SPT=55602 DPT=80 PKTS=0 BYTES=0 , REPLY: SRC=10.215.168.1 DST=10.215.168.64 PROTO=TCP SPT=80 DPT=55602 PKTS=0 BYTES=0 APPDETECT[L4:80] Jun 24 12:37:29.297223 osdx ulogd[137558]: [UPDATE] ORIG: SRC=10.215.168.64 DST=10.215.168.1 PROTO=TCP SPT=55602 DPT=80 PKTS=0 BYTES=0 , REPLY: SRC=10.215.168.1 DST=10.215.168.64 PROTO=TCP SPT=80 DPT=55602 PKTS=0 BYTES=0 APPDETECT[L4:80] Jun 24 12:37:29.298018 osdx ulogd[137558]: [UPDATE] ORIG: SRC=10.215.168.64 DST=10.215.168.1 PROTO=TCP SPT=55602 DPT=80 PKTS=0 BYTES=0 , REPLY: SRC=10.215.168.1 DST=10.215.168.64 PROTO=TCP SPT=80 DPT=55602 PKTS=0 BYTES=0 APPDETECT[L4:80 http-host:10.215.168.1] Jun 24 12:37:29.298146 osdx ulogd[137558]: [UPDATE] ORIG: SRC=10.215.168.64 DST=10.215.168.1 PROTO=TCP SPT=55602 DPT=80 PKTS=0 BYTES=0 , REPLY: SRC=10.215.168.1 DST=10.215.168.64 PROTO=TCP SPT=80 DPT=55602 PKTS=0 BYTES=0 APPDETECT[L4:80 http-host:10.215.168.1] Jun 24 12:37:29.298162 osdx ulogd[137558]: [UPDATE] ORIG: SRC=10.215.168.64 DST=10.215.168.1 PROTO=TCP SPT=55602 DPT=80 PKTS=0 BYTES=0 , REPLY: SRC=10.215.168.1 DST=10.215.168.64 PROTO=TCP SPT=80 DPT=55602 PKTS=0 BYTES=0 APPDETECT[L4:80 http-host:10.215.168.1] Jun 24 12:37:29.316979 osdx sudo[137754]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:37:29.318849 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/ running://index.html'.
App Detect Drop Packet
Description
Set a traffic policy with action drop for all the packets matching an appid specified by a traffic selector.
Enable http-host and http-url option in system conntrack appdetect path in order to see relevant information about http packets.
Finnally, log that packets with app-id option and check that appdetect field appear in journal when
running system journal show
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth1 address 10.215.168.64/24 set interfaces ethernet eth1 traffic policy out DROP set system conntrack app-detect dictionary 130 custom app-id 155 fqdn 10.215.168.1 set system conntrack app-detect enable_dict_match_priv_ip set system conntrack app-detect http-host set system conntrack app-detect http-url set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy DROP rule 1 action drop set traffic policy DROP rule 1 log app-id set traffic policy DROP rule 1 selector APPID set traffic selector APPID rule 1 app-id custom 155
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.206 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.206/0.206/0.206/0.000 ms
Step 3: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*APPDETECT\[U:155 http-url:/~robot/ http-host:10.215.168.1\]Show output
Jun 24 12:37:34.345364 osdx systemd-journald[1663]: Runtime Journal (/run/log/journal/a9c8f5b24ca148a6b10e0198640df300) is 2.1M, max 15.3M, 13.2M free. Jun 24 12:37:34.345859 osdx systemd-journald[1663]: Received client request to rotate journal, rotating. Jun 24 12:37:34.345895 osdx systemd-journald[1663]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a9c8f5b24ca148a6b10e0198640df300. Jun 24 12:37:34.351054 osdx sudo[137934]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:37:34.358282 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'system journal clear'. Jun 24 12:37:34.621381 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'system coredump delete all'. Jun 24 12:37:34.906459 osdx OSDxCLI[127378]: User 'admin' entered the configuration menu. Jun 24 12:37:34.972458 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 130 custom app-id 155 fqdn 10.215.168.1'. Jun 24 12:37:35.091741 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set system conntrack app-detect enable_dict_match_priv_ip'. Jun 24 12:37:35.153068 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-url'. Jun 24 12:37:35.255860 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set traffic selector APPID rule 1 app-id custom 155'. Jun 24 12:37:35.313774 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set traffic policy DROP rule 1 selector APPID'. Jun 24 12:37:35.404633 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set traffic policy DROP rule 1 action drop'. Jun 24 12:37:35.473090 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set traffic policy DROP rule 1 log app-id'. Jun 24 12:37:35.615170 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set interfaces ethernet eth1 traffic policy out DROP'. Jun 24 12:37:35.668197 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set interfaces ethernet eth1 address 10.215.168.64/24'. Jun 24 12:37:35.768970 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Jun 24 12:37:35.852888 osdx OSDxCLI[127378]: User 'admin' added a new cfg line: 'show working'. Jun 24 12:37:35.955342 osdx ubnt-cfgd[137967]: inactive Jun 24 12:37:35.996394 osdx INFO[137989]: FRR daemons did not change Jun 24 12:37:36.157691 osdx kernel: app-detect: module init Jun 24 12:37:36.157754 osdx kernel: app-detect: registered: sysctl net.appdetect Jun 24 12:37:36.157770 osdx kernel: app-detect: expression init Jun 24 12:37:36.157783 osdx kernel: app-detect: appid cache initialized Jun 24 12:37:36.157796 osdx kernel: app-detect: appid cache changes counter initialized Jun 24 12:37:36.176827 osdx sudo[138018]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:37:36.197687 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth1 Jun 24 12:37:36.438864 osdx cfgd[1460]: [127378]Completed change to active configuration Jun 24 12:37:36.452339 osdx OSDxCLI[127378]: User 'admin' committed the configuration. Jun 24 12:37:36.470944 osdx OSDxCLI[127378]: User 'admin' left the configuration menu. Jun 24 12:37:36.644352 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jun 24 12:37:36.709942 osdx sudo[138156]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:37:36.788945 osdx file_operation[138159]: using src url: http://10.215.168.1/~robot/ dst url: running://index.html Jun 24 12:37:36.793682 osdx kernel: [DROP-1] DROP IN= OUT=eth1 SRC=10.215.168.64 DST=10.215.168.1 LEN=306 TOS=0x00 PREC=0x00 TTL=64 ID=44679 DF PROTO=TCP SPT=50344 DPT=80 WINDOW=502 RES=0x00 ACK PSH URGP=0 APPDETECT[U:155 http-url:/~robot/ http-host:10.215.168.1] Jun 24 12:37:36.997687 osdx kernel: [DROP-1] DROP IN= OUT=eth1 SRC=10.215.168.64 DST=10.215.168.1 LEN=306 TOS=0x00 PREC=0x00 TTL=64 ID=44680 DF PROTO=TCP SPT=50344 DPT=80 WINDOW=502 RES=0x00 ACK PSH URGP=0 APPDETECT[U:155 http-url:/~robot/ http-host:10.215.168.1] Jun 24 12:37:37.401794 osdx kernel: [DROP-1] DROP IN= OUT=eth1 SRC=10.215.168.64 DST=10.215.168.1 LEN=306 TOS=0x00 PREC=0x00 TTL=64 ID=44681 DF PROTO=TCP SPT=50344 DPT=80 WINDOW=502 RES=0x00 ACK PSH URGP=0 APPDETECT[U:155 http-url:/~robot/ http-host:10.215.168.1] Jun 24 12:37:38.233742 osdx kernel: [DROP-1] DROP IN= OUT=eth1 SRC=10.215.168.64 DST=10.215.168.1 LEN=306 TOS=0x00 PREC=0x00 TTL=64 ID=44682 DF PROTO=TCP SPT=50344 DPT=80 WINDOW=502 RES=0x00 ACK PSH URGP=0 APPDETECT[U:155 http-url:/~robot/ http-host:10.215.168.1] Jun 24 12:37:39.794234 osdx file_operation.py[138159]: Operation aborted by user. Jun 24 12:37:39.805728 osdx kernel: [DROP-1] DROP IN= OUT=eth1 SRC=10.215.168.64 DST=10.215.168.1 LEN=306 TOS=0x00 PREC=0x00 TTL=64 ID=44683 DF PROTO=TCP SPT=50344 DPT=80 WINDOW=502 RES=0x00 ACK PSH FIN URGP=0 APPDETECT[U:155 http-url:/~robot/ http-host:10.215.168.1] Jun 24 12:37:39.808287 osdx sudo[138164]: pam_limits(sudo:session): invalid line '@200:215 hard maxlogins ' - skipped Jun 24 12:37:39.810333 osdx OSDxCLI[127378]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/ running://index.html'. Jun 24 12:37:39.869695 osdx kernel: [DROP-1] DROP IN= OUT=eth1 SRC=10.215.168.64 DST=10.215.168.1 LEN=306 TOS=0x00 PREC=0x00 TTL=64 ID=44684 DF PROTO=TCP SPT=50344 DPT=80 WINDOW=502 RES=0x00 ACK PSH FIN URGP=0 APPDETECT[U:155 http-url:/~robot/ http-host:10.215.168.1]