Re: PF logging into a file

Sun, 24 Jan 2010 05:18:29 -0800 

but why?  :-)

--
thanks,
VA

24.01.2010 14:33, Paolo Supino P?P8QP5Q:

Hi Vadim

  pflogd is writing the A small detail I forgot to mention: I need the
log to be in text (readable) format. pflogd write pcap format files,
which isn't suitable for me ...



--
TIA
Paolo





On 1/24/10 2:17 PM, Vadim Agarkov wrote:

24.01.2010 13:36, Paolo Supino P?P8QP5Q:

Hi

I've often used the command "tcpdump -n -e -ttt -i pflog0" to view PF
log in real time.
I've decided to try and use it in order to log in real time PF through
syslog. The solution described in the PF FAQ to log to syslog works in
time intervals, which doesn't meet my needs in my current setup.
I tried piping the output of "tcpdump -n -e -ttt -i pflog0" through
logger(1), and send it to syslog(8) using the complete command:
"tcpdump -n -e -ttt -i pflog0 | logger -t PF -p local7.notice". I
setup syslog.conf: "local7.* /var/log/firewall.log", but the file
"/var/log/firewall.log" remains empty. trying the command: "tcpdump -n
-e -ttt -i pflog0 | logger -t PF -f /var/log/firewall.log" also leaves
the file empty. As a last resort I tried: "tcpdump -n -e -ttt -i
pflog0 >& /var/log/firewall.log", but that also didn't work and left
the file /var/log/firewall.log empty). Running tcpdump with "-l"
(output buffering) solve the clear text redirection into a file, but
doesn't work with logger(1) (it simply ends the process silently after
1 second or so).
Does anyone have a suggestion how to fix this so I can have real time
PF logging sent to syslog?

Please try and help me solve the problem and don't try to convince me
to drop either the real time logging and/or the use of syslog (I
can't).


--
TIA
Paolo



hi Paolo!

try

pflogd_flags="-d 5"

in /etc/rc.conf.local


according to pflogd(8) man page,

pflogd closes and then re-opens the log file when it receives SIGHUP,
permitting newsyslog(8) to rotate logfiles automatically. SIGALRM causes
pflogd to flush the current logfile buffers to the disk, thus making the
most recent logs available. The buffers are also flushed every delay
seconds.
.....
-d delay
Time in seconds to delay between automatic flushes of the file.
This may be specified with a value between 5 and 3600 seconds.
If not specified, the default is 60 seconds.

not a real time, but might be helpfull somehow ?

--
thanks,
VA

Reply via email to