Provided by: natlog_3.00.01-1build2_amd64 
NAME
natlog - source-nat logging tool
SYNOPSIS
natlog [OPTIONS] command
DESCRIPTION
Firewalls like iptables(1) may offer POSTROUTING (source network address translation, snat) facilities
changing the source address of a host behind the firewall to the address of the host connected to the
outer world. With snat the following combinations of IP addresses and port numbers are encountered:
o the IP address and port number used by the host protected by (i.e., behind) the firewall initiates
a connection to the outer world (the source host, in this manual page referred to as IPsrc,
sport);
o the IP address and port number of the host outside (i.e., before) the firewall that IPsrc connects
to (the destination host, in this manual page referred to as IPdst, dport);
o the IP address and port number of the host where the firewall has been installed. This host
performs the source natting, and its IP-address and the port it uses when forwarding IPsrc,
sport’s requests to IPdst, dport are in this manual page referred to as IPfw, fwport. )
Source natting usually uses sport for fwport, but fwport may already be in use, in which case the
firewalling host must use another, available port to forward communication from IPsrc, sport to IPdst,
dport.
The general scheme that applies to source natting, therefore, looks like this:
IPsrc:sport is translated by the firewall to IPfw:fwport;
IPfw:fwport is used when communicating with IPdst:dport.
From the perspective of the destination host the communication originates at IPfw::fwport and
consequently all communication (e.g., incident reports) sent by the systems administrator maintaining
IPdst to IPfw’s systems administrator will refer to IPfw:fwport, rather than to IPsrc::sport.
Relating IPfw:fwport to IPsrc:sport is difficult when merely using the standard log facilities provided
by iptables and natlog was developed to fill in that particular niche.
Natlog provides data about source natting in various forms. The standard logging mode consists of
messages sent to the syslog daemon (cf., rsyslogd(8)) and/or to the standard output stream showing the
essential characteristics of connections using source natting. Here is an example of a logged message
(log-entries occupy single lines; the line-breaks below are to enhance readability):
NATLOG: from 1338990672:55588 thru 1338990747:807100 (UTC): tcp
192.168.19.72:4467 (via: 129.125.90.132:4467) to
to 200.49.219.180:443; sent: 802, received: 7669
The values 1338990672:55588 and 1338990747:807100 are time stamps showing the begin- and end-times in
seconds:microseconds of a tcp connection since the beginning of the epoch (Jan 1, 1970, 0:00 UTC). Natlog
offers the --time option for requesting human-readable time specifications like Nov 2 13:29:11 rather
than time representations using seconds and micro seconds.
The next value (192.168.19.72:4467) represents IPsrc::sport. This is followed by 129.125.90.132:4467,
representing IPfw:fwport. The third pair of values (200.49.219.180:443) represents IPdst:dport.
In this example, host 192.168.19.72, using port 4467, connected to host 200.49.219.180, port 443. To this
latter host the connection appears to have originated from 129.125.90.132 port 4467. The log message
allows us to associate this with the `real’ host and port from which the connection originated:
192.168.19.72:4467.
The final entries show the number of bytes that were sent by the source-host (IPsrc) and received from
the destination-host (IPdst).
When natlog is terminated it can no longer track connections that are still open. If natlog was
terminated (by a SIGINT or SIGTERM signal), then it logs a `terminating’ line, followed by an overview of
all (potentially) still open connections. Those connections are flagged with a trailing ’(EOP)’ (end of
program) log-element, and their end-times show natlog’s termination time. Incomplete connections show
(EXPIRED).
In addition to the standard logs the option --log-data is available. This option requires the path to a
file where information is logged in tabular form, which can easily be processed by statistical software
like R(1). When specifying this option information will be appended to an existing file. When the log
file does not yet exist it is created. The first line of the thus written log files names the columns of
the table. The column names are (all on one line):
type, srcNr, srcIP, srcPort, dstNr, dstIP, dstPort,
sent, recvd, begin, end, beginTime, endTime, status
Most column labels will be self-explanatory. Type indicates the connection type, logged as icmp, tcp, or
udp; srcNr and dstNr are the 32 bit numeric values of, respectively, the source host’s IP address and the
destination host’s IP address (decimal representations); begin and end are the times in seconds since the
beginning of the epoch, corresponding to the times displayed at, respectively, beginTime and endTime;
status indicates the status of the logged connection information: ok indicates a connection that was
normally completed; expired indicates that the connection was recognized, but was not normally completed;
eop is used for connections that were still active by the time natlog terminates. When the status equals
expired, the time entries show the times of receiving the first and last packets of that connection; when
eop, then the end and endTime entries show natlog’s termination time.
Log entries look like this (each entry occupies one line, header line and logged data lines are
right-aligned):
tcp, 101820608, 192.168.17.6, 48886,
4012145084, 188.121.36.239, 80,
430, 2266, 1517387644, 1517387644,
Jan 31 08:34:04:318340, Jan 31 08:34:04:383170, ok
MODES AND COMMANDS
o conntrack: the `conntrack’-mode. This command can only be used on platforms using iptables(1)
where conntrack(1) has also been installed. Information about snat connections is obtained from
conntrack(1)’s output. In this mode all, or one of the tcp (the protocol used by default), udp,
and icmp layer four protocols can be monitored.
When using the conntrack mode the conntrack program will report sent and received number of bytes
unless the option no-bytes has been specified.
Conntrack includes the sizes of the IP headers (usually 20 bytes) in reported byte counts. Thus,
icmp packets are usually reported as having size 84, even though ping(1) reports a payload of 64
bytes. Since the actual sizes of IP headers cannot be determined from conntrack’s output, the
sizes reported when using natlog’s conntrack mode are as reported by conntrack, and are therefore
not corrected for IP header lengths. The option --conntrack-ip-header-size can be used to correct
for the (assumed) IP header sizes.
Conntrack can also be used to track all connections, not just the snat connections. If that’s
required omit conntrack’s option -n, and optionally specify option no-via.
See also the conntrack-command option.
o indevice outdevice: the `devices’-mode. Here, indevice is the name of the device behind the
firewall: addresses living behind the indevice are source-natted to the firewall host’s IP address
when passed on to the outdevice.
Outdevice is the name of the device where source-natted packets are forwarded to, and from where
replies for source-natted hosts living behind the indevice are received. With this command all, or
any combination of the tcp (the protocol monitored by default), udp, and icmp layer four protocols
can be monitored.
For example, when specifying the arguments
eth1 eth0
thene eth1 is the device behind the firewall, and eth0 is the device to where source-natted
packets are forwared.
This command can also be used to track all connections using a single device, instead of merely
tracking snat connections. In that case specify the same devices for indevice and outdevice, and
optionally specify option no-via. E.g.,
eth0 eth0
o infile in-address in-mask outfile out-address out-mask: the `tcpdump’-mode. This command can be
used to process tcpdump(1) generated binary files, generated on the source-natting host. If a
source natting host uses interface eth1 behind the firewall and eth0 to connect to the outside
world, then the follow tcpdump commands produce the required binary files (these commands will
normally be run in the background, hence the trailing &):
tcpdump -wi eth0 /tmp/eth0 &
tcpdump -wi eth1 /tmp/eth1 &
To have natlog process these files, end the tcpdump processes, and transfer the files /tmp/eth0
and /tmp/eth1 to the host where natlog has been installed. The required addresses and masks are
shown by the ifconfig(1) command. E.g.,
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 129.125.1.123 netmask 255.255.0.0
broadcast 129.125.255.255
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.1 netmask 255.255.255.0
broadcast 192.168.1255
The relevant info is shown in the lines following the interface’s name: the value following inet
is the interface’s IP address, and the value following netmask is the network’s mask.
Combining files and addresses, natlog is run as follows (all on one line):
natlog /tmp/eth0 129.125.1.123 255.255.0.0
/tmp/eth1 192.168.1.1 255.255.255.0
Instead of fully specifying the netmask, netmaks specifications like /24 are also accepted. In
that case the number following the slash indicates the number of non-zero bits of the netmask. In
practice, each value of the netmask is either 255 (8 bits are set) or 0 (0 bits are set), and so
255.255.0.0 can also be specified as /16, while 255.255.255.0 can be specified like /24.
OPTIONS
See also section SYSTEMD.
o --config=config-path (-c)
The argument config-path defines the path to natlog’s configuration file. By default it is
/etc/natlog.conf. All configuration options have defaults, which are used when no configuration
file and no command-line options were provided.
All options, except for config, help, S, terminate, verbose and version can also be specified in
the configuration file. The configuration file ignores empty lines and all information on lines
beginning with a hash-mark (#). In the configuration file initial hyphens should be omitted, and
option names may immediately be followed by a colon. Do not surround option values with quotes.
Examples:
stdout
syslog-facility: LOCAL0
Command-line options override configuration file options.
o --conntrack-command=path [options]
The path and options to the conntrack(1) program. By default this is
/usr/sbin/conntrack -p tcp -E -n -o timestamp -e NEW,DESTROY
resulting in:
- Monitoring the tcp layer four protocol;
- Displaying real-time event logs (-E);
- Only use snat connections (-n);
- Displaying time stamps (-o timestamp);
- Logging all new and destroyed (ended) events (-e NEW,DESTROY);
- Reporting the number of bytes sent- and received by connections;
By default tcp is monitored. Other protocols can be configured using the --protocol option.
The conntrack program must be available when requesting natlog’s conntrack command. Layer four
protocols other than tcp, udp and icmp are currently not supported. A subset of the supported
protocols may be requested using conntrack’s -p tcp, -p udp or -p icmp options.
When all connections should be logged (not just snat connections) then omit conntrack’s -n option.
See also option --no-via below.
Unless option --no-bytes is specified the conntrack program reports the number of sent and
received bytes of connections. Conntrack does so when the value 1 has been written to
/proc/sys/net/netfilter/nf_conntrack_acct. When natlog starts, and no-bytes has not been specified
then natlog writes 1 to nf_conntrack_acct.
Note: when specifying the conntrack-command option in the configuration file do not sourround the
command with quotes.
o --conntrack-device=dev
By default conntrack monitors the information made available at the /proc/net/nf_conntrack device.
When another device should be used, specify it using this option.
o --conntrack-ip-header-size=size
This option is used to correct for the IP header sizes. By default, conntrack includes these sizes
in reported byte counts. By specifying this option packet sizes reported by conntrack are reduced
by size. Commonly IP headers consist of 20 bytes (so, to correct for this specify
--conntrack-ip-header-size 20).
o --conntrack-restart=max
If the conntrack process prematurely ends it is restarted at most max times (these are pure
restarts: conntrack’s initial startup is not counted for this option). By default 10 restarts are
allowed.
o --debug
Write additional info to the log file. Currently, --debug writes information about memory
consumption to the log file.
o --help (-h)
Write basic usage information to the standard output stream and terminate.
o --log=argument
By default natlog forwards log messages about natlog and connection information to the syslog
daemon using the DAEMON facility with priority NOTICE (see below at the syslog* options). This is
identical to specifying the argument syslog.
Alternatively, specify the argument off to suppress writing log messages. Any other argument is
interpreted as a path-specification to a file to receive the log messages: log-messages are
appended to existing files. If the log file does not yet exist it is first created.
The stdout option is handled independently from the log option: log messages will appear to the
standard output stream if stdout and log: off are both specified.
o --log-data=path
Path specifies the pathname of the file where information about observed connections is written in
tabular form. If path does not yet exist it is first created. Refer to the DESCRIPTION section for
information about the format of the generated table. Specify "" as command-line option if the
configuration file specifies a log data file, but no tabular data should be logged for that natlog
run.
Like the standard log file (option --log) the log-data file is not rotated if rotation is
requested (cf. option log-rotate). For statistical analyses rotated log-data files can be
concatenated (usually omitting the first (header) line of rotated log-data files).
o --log-rotate=spec
This option specifies the frequency and the number of log-files that are rotated. By default
log-files are not rotated.
To rotate log-files use time[mhd] or time[mhd]nFiles. The ’time’ specification is a number, which
must be followed by m for minutes, h for hours, and d for days. nFiles specifies the max. number
of rotated files. If only time[mhd] is specified, then nFiles is set to 1. By default (or if time
or nfiles are specified as zero (0)) log files are not rotated.
Note: when using rsyslogd(1) for logging (i.e., when specifying --log syslog, see also option
syslog-facility below), then it is assumed that the syslog daemon or a log-file rotation program like
logrotate(8) handles the log file rotations. Rotating the log-data file is not affected by specifying
--log syslog.
Natlog uses a built-in minimum rotation interval of 30 seconds.
o --no-bytes
By default log-entries show numbers of sent and received bytes. Specify this option to omit these
statistics from log-entries.
o --no-daemon
By default, natlog runs in the background (a daemon). Natlog runs as an ordinary program (i.e., in
the foreground when the option no-daemon is specified). When running as a daemon, --stdout (see
below) is suppressed, and --verbose messages (see below) are sent to the syslog daemon, unless
--no-syslog was specified. When using the tcpdump-mode natlog does not run in the background. In
this case, if no-daemon is omitted a warning message is logged, and natlog continues as an
ordinary program.
o --no-dst
Normally, when snat connections are logged the destination IP addresses and port numbers are
logged as ’dst’ entries in log-data files and as ’to’ entries in log-files. If these destination
items should be omitted specify no-via as configuration parameter or as option.
o --no-via
Normally, when snat connections are logged the host handling the address translations are logged
as ’via’ entries in log-files. If the ’via’ entries should be omitted activate no-via as
configuration parameter or as option.
o --pid-file=path (-p)
When natlog runs in the background, then path is the name of the path of the file holding the
daemon’s process-id. By default this file is /run/natlog.pid. To end the daemon, simply call
natlog --terminate (or send a SIGINT or SIGTERM signal to the process id mentioned in the
pid-file). Natlog uses SIGHUP and SIGALRM signals for explicit rotations of log-files (see options
--rotate and --rotate-data below.
o --protocol=specification (-P)
The protocol(s) to monitor. By default the tcp layer four protocol is monitored. Currently
natlog’s conntrack command can monitor the tcp, udp, and icmp layer four protocols. Using the
protocol option (note: only one protocol option should be specified) any subset of these protocols
can be selected by specifying a colon-separated subset of tcp, udp, and icmp (e.g., --protocol
udp:tcp). The specification all can be used to monitor all three protocols (tcp, udp, and icmp).
o --rotate
When --log has been used then this option forces rotating the log file independently from the
interval specified by --log-rotate. Natlog uses a built-in minimum rotation interval of 30
seconds.
o --rotate-data
When --log-data has been used then this option forces rotating the log-data file independently
from the interval specified by --log-rotate. Natlog uses a built-in minimum rotation interval of
30 seconds.
o -S
Use this option as first option, immediately following the program name, when starting natlog from
a systemd(1) natlog.service file. See also section SYSTEMD below.
o --stdout (-s)
Syslog-equivalent messages are sent to the standard output. This option is suppressed when natlog
runs as a daemon.
o --syslog-facility=facility
The facility that is used to write the syslog messages to. By default this is DAEMON. For an
overview of facilities and their meanings, see, e.g., syslog(3). With natlog the facilities
DAEMON, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7, and USER can be used.
When rsyslog filtering is used (see that section below) then rsyslogd(8) uses that instead of the
specified facility.
o --syslog-priority=priority
The priority that is used to write the syslog messages to. By default this is NOTICE. For an
overview of priorities and their meanings, see, e.g., syslog(3). With natlog all defined
priorities can be used. E.g., EMERG, ALERT, CRIT, ERR, WARNING, NOTICE, INFO and DEBUG.
o --syslog-tag=tag
When syslog messages are generated they can be provided with a tag, which can be used to filter
natlog’s syslog messages from the log-files. By default the tag NATLOG is used. See also section
RSYSLOG FILTERING below.
o --terminate
When natlog runs as a daemon, the command natlog --terminate can be issued to terminate the
daemon. By default it reads the daemon’s process ID from natlog’s pid-file (cf. option pid-file)
/run/natlog.pid). If another pid-file holds the process ID of the natlog program to terminate then
specify the location of the pid-file to use using a command like
natlog --terminate --pid-file=/path/to/the/pid-file
When the daemon could be terminated 0 is returned. Otherwise, an error message is displayed and 1
is returned.
o --time=spec (-t)
By default time stamps written by natlog are in raw, numeric form. E.g.,
NATLOG: From 1338990672:55588 thru 1338990747:807100
These time stamps indicate times in seconds:microseconds since the beginning of the epoch, January
1, 1970, 0:00 UTC. This option can be used to change the seconds part of the time stamps to more
conventional representations.
Specify raw (the default) for the default representation in seconds since the epoch;
specify utc for a representation like Jun 6 13:29:11, using Universal Time Coordinated;
specify local for a representation like Jun 6 13:29:11, using the local time zone defined by the
computer running natlog.
o --ttl=secs[ui] (-T)
time-to-live for received connections. At most two time-to-live specifications can be provided:
for udp/icmp connections a letter u must be appended to the specified seconds. By default 60u is
used. For tcp connections a letter t must be appended to the specified seconds. By default 3000t
is used. Both time-to-live specifications may be combined: --ttl 120u1800t specifies a
time-to-live of two minutes for udp/icmp connections and a time-to-live of half an hour for tcp
connections. Time-to-live is not used in conntrack-mode.
o --verbose (-V)
Additional messages about natlog’s mode of operation are sent to the standard output stream. When
natlog runs as a daemon these messages are sent to the syslog daemon, unless --no-syslog was
specified.
When --verbose is specified twice then all actual configuration parameters are shown just before natlog
starts.
When --verbose is specified more often then natlog ends after reporting the configuration parameters.
o --version (-v)
Write natlog’s version number to the standard output stream and terminate.
)
SYSTEMD
An annoying characteristic of systemd(1) is that environment variables containing blanks are passed as
single arguments to the program being called by their .service files. As a consequence, it is very hard
to provide an environment variable in, e.g., /etc/default/natlog specifying natlog’s arguments: in
practice the number of arguments varies, and so even constructions like ARG1=value1, ARG2=value2, etc.
are awkward at best.
As a stopgap for this unwelcome characteristic of systemd the option -S is provided. When used it must be
specified as natlog’s first argument. Natlog will then inspect all remaining arguments, splitting
arguments containing blanks into separate arguments, which are then processed by natlog as intended. Be
aware that, to limit the complexity of the splitting-procedure, it is not full-proof: double- or
single-quote delimited string-arguments will also be split into separate arguments. Unless filenames
themselves containing blanks are passed as arguments to natlog this limitation is probably not very
serious.
As an example, here is an example of systemd’s ExecStart specification:
ExecStart=/usr/bin/natlog -S -p ${PIDFILE} ${DAEMON_ARGS}
where DAEMON_ARGS might have been specified in /etc/default/natlog as
DAEMON_ARGS=--log /tmp/natlog.log --log-data /dev/null conntrack
RSYSLOG FILTERING
When using rsyslogd(8) property based filters may be used to filter syslog messages and write them to a
file of your choice. E.g., to filter messages starting with the syslog message tag (e.g., NATLOG) use
:syslogtag, isequal, "NATLOG:" /var/log/natlog.log
:syslogtag, isequal, "NATLOG:" stop
Note that the colon is part of the tag, but is not specified with the syslog-tag option.
This causes all messages having the NATLOG: tag to be written on /var/log/natlog.log after which they are
discarded. More extensive filtering is also supported, see, e.g.,
http://www.rsyslog.com/doc/rsyslog_conf_filter.html and http://www.rsyslog.com/doc/property_replacer.html
EXAMPLES
Examples of natlog activations:
o natlog --no-daemon --no-syslog -s br0 eth0
Natlog remains active as a foreground process, no syslog messages are written, syslog-equivalent
message are written to the standard output. Natlog uses the pcap library to capture packets from
the br0 device, which is active behind the firewall, and to capture packets from the eth0 device,
which is the device to where source-natted packages are sent.
o natlog conntrack
Depending on the options specified in /etc/natlog.conf (or, if not available, natlog’s default
options) source-natted connections are obtained from conntrack(1). By default natlog continues as
a daemon process, generating syslog messages using syslog tags NATLOG:, and containing information
about source-natted connections.
Here is natlog’s default configuration file. Empty lines and lines starting with hash-marks (#) are
ignored. Options adhere to the following syntax:
option value
Option and value are separated by white space, a colon may be appended to option names:
# This configuration file shows the default option values.
# Options that are *not* active by default have an extra comment-line
# showing ’not by default:’
# all options and values are case sensitive
# see `man natlog’ for further details
# the path and options of the conntrack program:
# when no filtering options are specified, the tcp
# protocol is monitored
# the default command is shown.
# Note: do not surround the conntrack command specification with quotes
#conntrack-command: /usr/sbin/conntrack -E -n -o timestamp -e NEW,DESTROY
# the device used by conntrack
#conntrack-device: /proc/net/nf_conntrack
# correction for the IP header size
# (standard IP header size is 20 bytes)
#conntrack-ip-header-size: 0
# max. number of conntrack restarts
#conntrack-restart: 10
# write additional info to the log file
# not by default:
#debug
# log messages are written to ’pathname’; use ’log: off’ to suppress log
# messages
# not by default:
#log: pathname
# data file containing tabular logs
# not by default:
#log-data: pathname
# tmespec: time[mhd]nFiles - specification for rotating log-files
# not by default:
#log-rotate: timespec
# do not log the sent/received byte counts (default: counts are logged)
# not by default:
#no-bytes
# do not run as a daemon
# not by default:
#no-daemon
# do not log the destination entries
# not by default:
#no-dst
# do not log the via: entries
# not by default:
#no-via
# the path to the pid-file of natlog’s daemon process
#pid-file: /run/natlog.pid
# the protocols that are scanned with the ’conntrack’ command:
# protocol: all - monitors tcp, udp, icmp
# protocol: udp:tcp - monitors upd and tcp (any non-empty subset,
# possibly including icmp is OK)
#protocol: tcp
# write messages to stdout (ignored by daemons)
# not by default:
#stdout
# the default syslog facility:
#syslog-facility: DAEMON
# the default syslog priority:
#syslog-priority: NOTICE
# the default syslog tag:
#syslog-tag: NATLOG
# the default time specification (alternatives: utc, local):
#time: raw
# ttl: time to live (seconds) for udp/icmp connections
#ttl: 60
# end of the configuration file
FILES
o /etc/natlog.conf: default configuration file location;
o /etc/default/natlog: arguments for startup scripts;
o /etc/init.d/natlog: SysV startup script;
o /etc/systemd/system/natlog.service: systemd startup script (calling /etc/init.d/natlog).
SEE ALSO
conntrack(1), ifconfig(1), iptables(1), logrotate(8), pcap-filter(7), ping(1), R(1), rsyslogd(8),
syslog(3), systemd(1), tcpdump(1)
BUGS
Natlog currently can process tcp, udp and icmp layer four protocols.
AUTHOR
Frank B. Brokken (f.b.brokken@rug.nl).
natlog.3.00.01 2012-2022 natlog(1)