I've tried running the scripts as root and I get no errors but the file pflog.txt is never created, even when I can see that there is information in the pflog file.
I created the pflogger user as in the FAQ but left the password blank to prevent logon. Could that be causing the problem?
I've configured syslog.conf as follows and restarted it as in the FAQ # $OpenBSD: syslog.conf,v 1.12 2001/08/23 13:27:52 camield Exp $ #
*.err;kern.debug;auth.notice;authpriv.none;mail.crit /dev/console *.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages kern.debug,user.info,syslog.info /var/log/messages auth.info /var/log/authlog authpriv.debug /var/log/secure cron.info /var/cron/log daemon.info /var/log/daemon ftp.info /var/log/xferlog lpr.debug /var/log/lpd-errs mail.info /var/log/maillog #uucp.info /var/log/uucp local0.info /var/log/pflog.txt local0.info @syslogger
*.err root *.notice;auth.debug root *.alert root *.emerg *
# Uncomment to log to a central host named "loghost". You need to run # syslogd with the -u option on the remote host if you are using this. # (This is also required to log info from things like routers and # ISDN-equipment). If you run -u, you are vulnerable to syslog bombing, # and should consider blocking external syslog packets #*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none @loghost #kern.debug,user.info,syslog.info @loghost #auth.info,authpriv.debug,daemon.info @loghost
# Uncomment to log messages from sudo(8) and chat(8) to their own # respective log files. Matches are done based on the program name # Program-specific logs: #!sudo #*.* /var/log/sudo #!chat #*.* /var/log/chat
My /etc/pflogrotate is as follows: FILE=/home/pflogger/pflog5min.$(date "+%Y%m%d%H%M") kill -ALRM $(cat /var/run/pflogd.pid) if [ $(ls -l /var/log/pflog | cut -d " " -f 8) -gt 24 ]; then mv /var/log/pflog $FILE chown pflogger $FILE kill -HUP $(cat /var/run/pflogd.pid) fi
and the permission are: -rwxr--r-- 1 root wheel 241 Aug 13 09:23 /etc/pflogrotate
The /home/pflogger/pfl2sysl is as follows: for logfile in /home/pflogger/pflog5min* ; do tcpdump -n -e -ttt -r $logfile | logger -t pf -p local0.info rm $logfile done
and the permission are as follows: -rwxr--r-- 1 pflogger pflogger 128 Aug 13 09:40 /home/pflogger/pfl2sysl
Is there something I've missed or done incorrectly? Is there something else to check?
Scott Plumlee
PGP Public key: http://plumlee.org/pgp/ D64C 47D9 B855 5829 D22A D390 F8E2 9B58 9CBF 1F8D