PF logging as in the FAQ not working

Thu, 14 Aug 2003 16:49:07 -0700

Hello. Just got an OpenBSD 3.3 machine running as the firewall for a small network - I've just started using OpenBSD recently so I'm sure it a rookie mistake. I've been trying to get the packet logging set up as in the faq but I can't get the file pflog.txt to be created. I've read this post and checked everything that I can think of:http://www.benzedrine.cx/pf/msg01009.html

I've tried running the scripts as root and I get no errors but the file pflog.txt is never created, even when I can see that there is information in the pflog file.

I created the pflogger user as in the FAQ but left the password blank to prevent logon. Could that be causing the problem?

I've configured syslog.conf as follows and restarted it as in the FAQ
#       $OpenBSD: syslog.conf,v 1.12 2001/08/23 13:27:52 camield Exp $
#

*.err;kern.debug;auth.notice;authpriv.none;mail.crit    /dev/console
*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages
kern.debug,user.info,syslog.info                        /var/log/messages
auth.info                                               /var/log/authlog
authpriv.debug                                          /var/log/secure
cron.info                                               /var/cron/log
daemon.info                                             /var/log/daemon
ftp.info                                                /var/log/xferlog
lpr.debug                                               /var/log/lpd-errs
mail.info                                               /var/log/maillog
#uucp.info                                              /var/log/uucp
local0.info                                             /var/log/pflog.txt
local0.info                                             @syslogger

*.err                                                   root
*.notice;auth.debug                                     root
*.alert                                                 root
*.emerg                                                 *

# Uncomment to log to a central host named "loghost".   You need to run
# syslogd with the -u option on the remote host if you are using this.
# (This is also required to log info from things like routers and
# ISDN-equipment).  If you run -u, you are vulnerable to syslog bombing,
# and should consider blocking external syslog packets
#*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none        @loghost
#kern.debug,user.info,syslog.info                               @loghost
#auth.info,authpriv.debug,daemon.info                           @loghost

# Uncomment to log messages from sudo(8) and chat(8) to their own
# respective log files.  Matches are done based on the program name
# Program-specific logs:
#!sudo
#*.*                                                    /var/log/sudo
#!chat
#*.*                                                    /var/log/chat

My /etc/pflogrotate is as follows:
FILE=/home/pflogger/pflog5min.$(date "+%Y%m%d%H%M")
kill -ALRM $(cat /var/run/pflogd.pid)
if [ $(ls -l /var/log/pflog | cut -d " " -f 8) -gt 24 ]; then
        mv /var/log/pflog $FILE
        chown pflogger $FILE
        kill -HUP $(cat /var/run/pflogd.pid)
fi

and the permission are:
-rwxr--r--  1 root  wheel  241 Aug 13 09:23 /etc/pflogrotate

The /home/pflogger/pfl2sysl is as follows:
for logfile in /home/pflogger/pflog5min* ; do
        tcpdump -n -e -ttt -r $logfile | logger -t pf -p local0.info
        rm $logfile
done

and the permission are as follows:
-rwxr--r--  1 pflogger  pflogger  128 Aug 13 09:40 /home/pflogger/pfl2sysl

Is there something I've missed or done incorrectly? Is there something else to check?

Scott Plumlee
PGP Public key: http://plumlee.org/pgp/ D64C 47D9 B855 5829 D22A D390 F8E2 9B58 9CBF 1F8D

Reply via email to