If you want to go with the defaults (which are generally OK), simply do:
./configure && make && sudo make install
Configuration file lands into /usr/local/etc/specter.conf by default.
Read the documentation (available at
http://joker.linuxstuff.pl/specter/docs.html) and start logging!
First you will need a 2.4.x or 2.6.x kernel. If you have
a kernel >= 2.4.18-pre8, it already has the kernel suport for ULOG
(ipt_ULOG.o), only make sure that it was compiled in. If you want
to use nfmark
grouping
method, check if your kernel was compiled with CONFIG_IP_NF_MATCH_MARK,
CONFIG_IP_NF_TARGET_MARK and CONFIG_IP_NF_MANGLE options.
If you have an older kernel version (between 2.4.0 and 2.4.18-pre6), you can use the patch-o-matic system of netfilter/iptables, as described in the following section.
You only need to read this chapter if you have a 2.4.x kernel <= 2.4.18-pre6.
In order to put the ipt_ULOG module into your kernel source, you need the latest iptables package, or even better: the latest CVS snapshot. A description how to obtain this is provided on the netfilter homepage http://www.netfilter.org/.
To run patch-o-matic, just type
make patch-o-matic
Latest version of specter's code is available on launchpad. To get it you need a bazaar client. Issue the following command:
bzr branch lp:specter
and newest sources should appear in specter/ subdirectory.
You can also download a pre-packaged sources from http://joker.linuxstuff.pl/specter/ although those may not be as recent as the one in the bazaar repository.
If you want to build specter with MySQL support, type './configure --with-mysql'. You may also have to specify the path of the mysql libraries using '--with-mysql=path'. To build specter without MySQL support, just use './configure'.
The same procedure applies to PostgreSQL support (use './configure --with-pgsql' with or without path to libraries).
If you have other applications using libipulog library contained with this package, you may consider building it shared. To enable this, use './configure --with-sharedlib'.
If you have sophisticated configuration and need more than default 32 execution groups, you can redefine SPECTER_GROUPS_MAX by using '--with-group-max=value' configuration option. That won't have any consequences to speed until you actually make use of these groups. But please note that netlink grouping allows you to specify only 32 groups, and that limit is kernel-driven. Use nfmarks instead.
To compile and install the program, call 'make install'. Old configuration files won't be overwritten, so don't worry. You can also run 'make install-strip' to discard redundant symbols from specter binary.
If you're happy with defaults, there's possibility to install specter from binary package. Debian and Ubuntu have up-to-date specter packages. You can download other packages from project's homepage: http://joker.linuxstuff.pl/specter/.
There are several front-ends for viewing logs generated by specter. Although they where designed for ulogd, there should be no problem with using them with specter. Here are few links to that kind of projects:
http://freshmeat.net/projects/ulogmonitor/ (copy of the source can be found here: http://joker.linuxstuff.pl/files/ulog-monitor_0.3.tar.bz2)
You can also find sample PHP query script in contrib/.