Userspace logging facility for Linux
last update: 21st January 2012
If you're running Linux firewall and need fast and reliable logging software, specter is for you. No kernel patches are needed - it works with standard ipt_ULOG netfilter target module. Being userspace application it introduces much lower security and stability risk than any kernel module. Keeping core simple and clean, specter's power lies in its plugins. You can not only define where the received packet data should go, but also how it should be interpreted. Although list of standard input and output plugins is wide, writing your own is a trivial task - code is vastly documented. All of these properties make specter an universal firewall logging utility.
Get specter-1.5.tar.gz and follow instructions in the INSTALL file.
If you're on Debian or Ubuntu all you have to do is:
sudo apt-get install specter specter-mysql specter-pgsql
and you're done. Check the documentation and modify your configuration in
To checkout latest source use Bazaar:
bzr branch http://bazaar.launchpad.net/~ruby/specter/trunk
The package is somewhat old, but still worth a try: specter-1.4-pre2-i486-1.tgz.
Use ulogd2specter.pl script to convert ulogd configuration files into specter's.
Specter is free software, licensed under GPL. You can use it anyway you want, learn from the code, add your own enchancements and pass them further on, everything for free. Full text of license is available here.
Specter is based on Harald's Welte ulogd 1.02, but has a slightly different approach. Its modularized structure and highly-configurable parameters combined with neat netfilter's design gives you freedom in setting up your logging facility. You can not only save packets into files or databases, but also do other crazy things, like making your keyboard blink in case of high net traffic (or any other user-defined condition).
Currently it includes two new plugins: EXEC that executes given commands when packet is received and HTTP which parses http traffic. It also has extended configuration syntax, and possibility to divide packets into many execution blocks. You can learn more reading online documentation. Still curious? Read the discussion that followed the first release, which can help you in understanding some aspects of specter's design and decisions I've made. If you consider moving from ulogd, there's a script attached to convert your current config into specter's.