pflog to graylog

Hi, I want to push data from pflog0 device to my graylog server. Has anyone done something similar or maybe with elastic/GELF ? There is https://github.com/dennisoelkers/keil but seemd abandoned and I couldn't make it work. There is also packetbeat which is also ported to openbsd but it seems

Re: pflog flooded with igmp queries

On Thu, Jan 2, 2020 at 12:34 PM Otto Moerbeek wrote: > > Can't seem to find that specific info anywhere. > > see man pf.conf and then search for allow-opts I see that it says they are blocked, but nothing to indicate they are also automatically logged. Chris

Re: pflog flooded with igmp queries

On Thu, Jan 02, 2020 at 12:27:40PM -0500, Sonic wrote: > On Thu, Jan 2, 2020 at 1:00 AM Sebastien Marie wrote: > > And by default, packets > > with ip-options are block-logged. > > Can't seem to find that specific info anywhere. see man pf.conf and then search for allow-opts -Otto >

Re: pflog flooded with igmp queries

On Thu, Jan 2, 2020 at 12:27 PM Sonic wrote: > I used: > block proto igmp More specifically: block drop quick proto igmp as I thought "return" would simply add extra traffic to the network. Chris

Re: pflog flooded with igmp queries

On Thu, Jan 2, 2020 at 1:00 AM Sebastien Marie wrote: > And by default, packets > with ip-options are block-logged. Can't seem to find that specific info anywhere. > I suppose that adding an explicit rule with allow-opts should do the trick. > depending your need (block or allow): >

Re: pflog flooded with igmp queries

On Wed, Jan 01, 2020 at 12:33:30PM -0500, Sonic wrote: > The pflogs on my firewall and on a new system I'm installing (-current > with pretty much a default pf.conf) are flooded with igmp query > entries. Neither system has a log rule for such action. [...] > Reason? To quote pf.conf(5) manual

Re: pflog flooded with igmp queries

pfctl -si Status: Enabled for 1 days 23:53:56 Debug: err State Table Total Rate current entries 13 half-open tcp 0 searches 1008640.6/s inserts

Re: pflog flooded with igmp queries

Sonic(sonicsm...@gmail.com) on 2020.01.01 12:33:30 -0500: > The pflogs on my firewall and on a new system I'm installing (-current > with pretty much a default pf.conf) are flooded with igmp query > entries. Neither system has a log rule for such action. > > Ex: >

pflog flooded with igmp queries

The pflogs on my firewall and on a new system I'm installing (-current with pretty much a default pf.conf) are flooded with igmp query entries. Neither system has a log rule for such action. Ex: === rule 1/(match) pass in on em1: 192.168.1.20 > 224.0.0.1: igmp

Re: Opinion about pflog

Fri, 30 Sep 2016 20:43:02 +0200 Walter Alejandro Iglesias [...] > The point is, I ask myself the same a lot of unix users probably are > asking themselves, should I invest more time in educating myself in > practices that in two days could be declared obsolete? Hi Walter,

Re: Opinion about pflog

To the other people who answer me here, sorry for the delay, I took some time to calm down and not degrade myself to the level of discussion some person here proposed me. Martin Brandenburg, I know what pcap files are, I used them. But, as I said, I'm not an expert, I didn't take in care that

Re: Opinion about pflog

On Wed, Sep 28, 2016 at 02:36:10PM -0600, Theo de Raadt wrote: > > So, *binary* logs. Sounds familiar to me. And then: > > Your type of person seems familiar to be me. Undeducated *check* > opinioned *check* Contrasting authoritatively without any education > to back it up

Re: Opinion about pflog

. > I must confess I'm one among those "run to the hills" paranoids. I'm > not an expert, perhaps I'm judging pflog wrong but, anyway, I still > prefer the traditional way, using cat, grep and tail. Well, for for generally keeping an eye on things and not putting too mu

Re: Opinion about pflog

On 09/28/2016 04:25 PM, Walter Alejandro Iglesias wrote: > And this "uncommon" practice among unix system administrators (sarcasm), > needs a "workaround". You end with a file with a curious termination: > > Create the file /var/log/pflog.txt ... You can name it pflog.log versus pflog.txt,

Re: Opinion about pflog

among unix system administrators (sarcasm), needs a "workaround". You end with a file with a curious termination: Create the file /var/log/pflog.txt ... I must confess I'm one among those "run to the hills" paranoids. I'm not an expert, perhaps I'm judging pflog wro

Re: Opinion about pflog

> The log file written by pflogd is in binary format and cannot be > read using a text editor. > > So, *binary* logs. Sounds familiar to me. And then: Your type of person seems familiar to be me. Undeducated *check* opinioned *check* Contrasting authoritatively without any

Re: Opinion about pflog

I'm one among those "run to the hills" paranoids. I'm > not an expert, perhaps I'm judging pflog wrong but, anyway, I still > prefer the traditional way, using cat, grep and tail. > > # file /var/log/pflog /var/log/pflog: tcpdump capture file (little-endian) - version 2.4 (

Opinion about pflog

rkaround". You end with a file with a curious termination: Create the file /var/log/pflog.txt ... I must confess I'm one among those "run to the hills" paranoids. I'm not an expert, perhaps I'm judging pflog wrong but, anyway, I still prefer the traditional way, using cat, grep and tail.

Re: pflog disappeared

You're right, probably pflogrotate script is buggy. root@master[~]ls /var/log/pflog ls: /var/log/pflog: No such file or directory wtf? where is my pflog file? :) interesting, because it worked almost 3 years On 04 Apr 2014, at 04:55, Philip Guenther guent...@gmail.com wrote: On Thu, Apr 3

Re: pflog disappeared

On Fri, Apr 04, 2014 at 09:02:06PM +0200, emigrant wrote: You're right, probably pflogrotate script is buggy. root@master[~]ls /var/log/pflog ls: /var/log/pflog: No such file or directory wtf? where is my pflog file? :) interesting, because it worked almost 3 years Make sure systemd

Re: pflog disappeared

On 2014-04-04, Philip Guenther guent...@gmail.com wrote: On Thu, Apr 3, 2014 at 12:18 AM, emigrant emig...@gmail.com wrote: After 64 days uptime(OpenBSD 5.4 i386) /var/log/pflog disappeared. Cron Daemon sent to me: Subject: Cron root@master /bin/sh /etc/pflogrotate pkill: kvm_getprocs

pflog disappeared

Hi everyone After 64 days uptime(OpenBSD 5.4 i386) /var/log/pflog disappeared. Cron Daemon sent to me: Subject: Cron root@master /bin/sh /etc/pflogrotate pkill: kvm_getprocs() failed Hmm, yes I use pflogrotate to change pflog - pflog.txt . After copy pflog from another machine everything

Re: pflog disappeared

On Thu, Apr 3, 2014 at 12:18 AM, emigrant emig...@gmail.com wrote: After 64 days uptime(OpenBSD 5.4 i386) /var/log/pflog disappeared. Cron Daemon sent to me: Subject: Cron root@master /bin/sh /etc/pflogrotate pkill: kvm_getprocs() failed Hmm, yes I use pflogrotate to change pflog

Re: Questions about monitoring LAN traffic with openbsd/pf/pflog/pflow

Em 22-03-2014 08:39, Florian Obser escreveu: On Thu, Mar 20, 2014 at 06:14:39PM -0300, Giancarlo Razzolini wrote: AFAIK, using anything beside proto 5 on pflow interfaces is broken, at least on OpenBSD 5.4. I know there were some recent work in this area that solves this issue. Nope, proto 9

Re: Questions about monitoring LAN traffic with openbsd/pf/pflog/pflow

On Thu, Mar 20, 2014 at 06:14:39PM -0300, Giancarlo Razzolini wrote: AFAIK, using anything beside proto 5 on pflow interfaces is broken, at least on OpenBSD 5.4. I know there were some recent work in this area that solves this issue. Nope, proto 9 was allways working. proto 10 had the problem

Re: Questions about monitoring LAN traffic with openbsd/pf/pflog/pflow

the packets. Based on further experiments motivated by your suggestions, I have concluded that I’ve been using the wrong tool(s) for the job. Since I’m using the OpenBSD box to just read all packets on an interface, I shouldn’t be using pf/pflog/pflow at all, I should just focus on apps like tcpdump

Questions about monitoring LAN traffic with openbsd/pf/pflog/pflow

in on em2 tag tap_b ifconfig bridge0 up I’d like to configure pf as follows: Log all traffic on em2/bridge0 to (ideally a specific) pflog interface Also “log” flows on em2/bridge0 to (ideally a specific) pflow interface Leave em0 alone (in its default state

Re: Questions about monitoring LAN traffic with openbsd/pf/pflog/pflow

tap_b ifconfig bridge0 up I’d like to configure pf as follows: Log all traffic on em2/bridge0 to (ideally a specific) pflog interface Also “log” flows on em2/bridge0 to (ideally a specific) pflow interface Leave em0 alone (in its default state), and don’t “duplicate

Re: Questions about monitoring LAN traffic with openbsd/pf/pflog/pflow

by your suggestions, I have concluded that I’ve been using the wrong tool(s) for the job. Since I’m using the OpenBSD box to just read all packets on an interface, I shouldn’t be using pf/pflog/pflow at all, I should just focus on apps like tcpdump that open the interface directly, and read what

Re: How to have more than 15 pflog interfaces?

On Thu, Apr 12, 2012 at 3:44 AM, Henning Brauer lists-openbsdt...@bsws.de wrote: diffs are for current of course but should work for 5.1 as well - dunno what you are trying. Dear Henning, I have upgraded my firewall to 5.1 could you please give ma a unified diff or something I can try

Re: How to have more than 15 pflog interfaces?

(, pflog_softc)pflogif_list; struct if_clonepflog_cloner = IF_CLONE_INITIALIZER(pflog, pflog_clone_create, pflog_clone_destroy); -struct ifnet *pflogifs[PFLOGIFS_MAX];/* for fast access */ -struct mbuf*pflog_mhdr = NULL, *pflog_mptr = NULL; +int npflogifs

Re: How to have more than 15 pflog interfaces?

* Siju George sgeorge@gmail.com [2012-04-10 08:16]: On Tue, Apr 10, 2012 at 11:40 AM, Andres Perera andre...@zoho.com wrote: altering the max might have consequences i don't know about: I will stick with 15 :-) actually, bumping it should be absolutely safe. pretty dumb limit actually,

Re: How to have more than 15 pflog interfaces?

On Wed, Apr 11, 2012 at 2:55 PM, Henning Brauer lists-open...@bsws.de wrote: actually, bumping it should be absolutely safe. pretty dumb limit actually, we should just dynamically allocate the pflogifs array. Thanks :-) Siju

Re: How to have more than 15 pflog interfaces?

*, struct rtentry *); intpflogioctl(struct ifnet *, u_long, caddr_t); @@ -91,16 +92,14 @@ LIST_HEAD(, pflog_softc)pflogif_list; struct if_clonepflog_cloner = IF_CLONE_INITIALIZER(pflog, pflog_clone_create, pflog_clone_destroy); -struct ifnet *pflogifs[PFLOGIFS_MAX

Re: How to have more than 15 pflog interfaces?

On Wed, Apr 11, 2012 at 3:50 PM, Henning Brauer lists-open...@bsws.de wrote: please try this report back Thanks Henning but I need some help :-( I got the following errors and I have attached the .rej files = # patch -p0 patch.if_pflog Hmm... Looks

Re: How to have more than 15 pflog interfaces?

= IF_CLONE_INITIALIZER(pflog, pflog_clone_create, pflog_clone_destroy); -struct ifnet *pflogifs[PFLOGIFS_MAX];/* for fast access */ -struct mbuf *pflog_mhdr = NULL, *pflog_mptr = NULL; +intnpflogifs = 0; +struct ifnet **pflogifs = NULL; /* for fast access */ +struct mbuf *pflog_mhdr

Re: How to have more than 15 pflog interfaces?

* Siju George sgeorge@gmail.com [2012-04-11 14:25]: On Wed, Apr 11, 2012 at 3:50 PM, Henning Brauer lists-open...@bsws.de wrote: please try this report back Thanks Henning but I need some help :-( I got the following errors and I have attached the .rej files diffs are for

Re: How to have more than 15 pflog interfaces?

* patrick keshishian sids...@boxsoft.com [2012-04-11 14:55]: On Wed, Apr 11, 2012 at 12:20:30PM +0200, Henning Brauer wrote: don't you need two different index vars for this next section? no, why? + for (i = 0; i n; i++) + if (i npflogifs) + p[i] =

Re: How to have more than 15 pflog interfaces?

On Wed, Apr 11, 2012 at 3:14 PM, Henning Brauer lists-openbsdt...@bsws.de wrote: * patrick keshishian sids...@boxsoft.com [2012-04-11 14:55]: On Wed, Apr 11, 2012 at 12:20:30PM +0200, Henning Brauer wrote: don't you need two different index vars for this next section? no, why? I put the

Re: How to have more than 15 pflog interfaces?

On Thu, Apr 12, 2012 at 3:44 AM, Henning Brauer lists-openbsdt...@bsws.de wrote: diffs are for current of course but should work for 5.1 as well - dunno what you are trying. Ok thanks :-) I am running 5.0 --Siju

Re: How to have more than 15 pflog interfaces?

altering the max might have consequences i don't know about: grep -nC5 PFLOGIFS_MAX /sys/net/if_pflog.h 27-#ifndef _NET_IF_PFLOG_H_ 28-#define _NET_IF_PFLOG_H_ 29- 30-#include net/pfvar.h 31- 32:#define PFLOGIFS_MAX16 33- 34-struct pflog_softc { 35- struct ifnetsc_if;

Re: How to have more than 15 pflog interfaces?

On Tue, Apr 10, 2012 at 11:40 AM, Andres Perera andre...@zoho.com wrote: altering the max might have consequences i don't know about: I will stick with 15 :-) grep -nC5 PFLOGIFS_MAX /sys/net/if_pflog.h 27-#ifndef _NET_IF_PFLOG_H_ 28-#define _NET_IF_PFLOG_H_ 29- 30-#include net/pfvar.h

How to have more than 15 pflog interfaces?

Hi, I have /etc/hostname.pflog files from 1-25. but only till 15 is available through ifconfig pflog15: flags=41UP,RUNNING mtu 33152 priority: 0 how do I get till pflog25? Thanks Siju

Re: snort and pf - pflog vs if

* Henning Brauer lists-open...@bsws.de [2011-11-14 21:27]: while this is all correct, let me try to pahse it in a way that i think is clearer. the bpf hooks (aka where bpf grabs the packets) are outside pf, i. e. inbound packets hit pf before bpf and outgoing pf

Re: snort and pf - pflog vs if

Am Sun, 13 Nov 2011 09:51:05 -0600 schrieb Ted Wynnychenko ted@comcast.net: With 4.5, I had snort listening to pflog0, because I understood that listening to the interface directly (e.g. bge0) would not work since any packets dropped by pf would not be seen by snort. pflog0 only shows the

Re: snort and pf - pflog vs if

packets hit pf before bpf and outgoing pf before bpf. that leaves cases where packets traverse the stack more than once (e. g. some encapsulations, some cases where pf makes changes to the packet) aside for clarity. and pflog is special insofar that it is outgoing only, except that it sends nowhere

snort and pf - pflog vs if

Hello I am confused about something. I have recently upgraded from 4.5 to 4.9 (not 5.0 yet). However, I have openbsd/pf as a firewall to protect a home network. Now, even though I don't really understand it all, I had/have snort running on the FW to see what kind of badness passes by. With

Re: pflog shows 0.0.0.0.0 0.0.0.0.0

* Matt Van Mater matt.vanma...@gmail.com [2011-08-22 23:14]: See my configuration at the bottom of this email. I am looking into why my pflog has these ambiguous entries that show source and destination as all zeros e.g. 0.0.0.0.0 0.0.0.0.0. I saw that there was a related thread earlier

Re: pflog shows 0.0.0.0.0 0.0.0.0.0

* Matt Van Mater matt.vanma...@gmail.com [2011-08-22 23:14]: I am looking into why my pflog has these ambiguous entries that show source and destination as all zeros e.g. 0.0.0.0.0 0.0.0.0.0. this fixes it. nsaddr/port and ndaddr/port were set up in pf_test_rule and thus not set up if we

Re: pflog shows 0.0.0.0.0 0.0.0.0.0

Can one of th PF developers weigh in? Is there anything more that I can do to help? E.g. formally list a bug report, provide additional detail, act as tester, etc? On 8/25/11, Kevin Chadwick ma1l1i...@yahoo.co.uk wrote: On Thu, 25 Aug 2011 20:10:12 + (UTC) Stuart Henderson

Re: pflog shows 0.0.0.0.0 0.0.0.0.0

the VM). Matt On Mon, Aug 22, 2011 at 5:09 PM, Matt Van Mater matt.vanma...@gmail.comwrote: Hi All, See my configuration at the bottom of this email. I am looking into why my pflog has these ambiguous entries that show source and destination as all zeros e.g. 0.0.0.0.0 0.0.0.0.0. I saw

Re: pflog shows 0.0.0.0.0 0.0.0.0.0

into why my pflog has these ambiguous entries that show source and destination as all zeros e.g. 0.0.0.0.0 0.0.0.0.0. I saw that there was a related thread earlier this year asking questions that was unresolved/unconfirmed and I would like to get feedback from one of the developers (Daniel

Re: pflog shows 0.0.0.0.0 0.0.0.0.0

On Thu, 25 Aug 2011 20:10:12 + (UTC) Stuart Henderson s...@spacehopper.org wrote: Yes these are from the log (all), looks like a bug to me. I wondered if it was the result of one of the optimisations. The state making SYNs show the correct IP.

pflog shows 0.0.0.0.0 0.0.0.0.0

Hi All, See my configuration at the bottom of this email. I am looking into why my pflog has these ambiguous entries that show source and destination as all zeros e.g. 0.0.0.0.0 0.0.0.0.0. I saw that there was a related thread earlier this year asking questions that was unresolved/unconfirmed

Re: meaning of pflog / tcpdump output

On Sunday 23 January 2011, Johan Helsingius wrote: Matteo, all you need is at http://www.openbsd.org/cgi-bin/man.cgi?query=tcpdumpapropos=0sektion=0; manpath=OpenBSD+Currentarch=i386format=html Thanks, but as I wrote: I am getting a fair bit of log lines that are shown as rule

Re: meaning of pflog / tcpdump output

The short reason code indicates that the packet was truncated or too short and therefore was missing information required to make a packet filtering decision. This could be, for example, a packet that only contained the first few bytes of an IP datagram (or a header that states that it is a

Re: meaning of pflog / tcpdump output

2011/1/22 Johan Helsingius j...@julf.com: Matteo, all you need is at http://www.openbsd.org/cgi-bin/man.cgi?query=tcpdumpapropos=0sektion=0manp ath=OpenBSD+Currentarch=i386format=html Thanks, but as I wrote: I am getting a fair bit of log lines that are shown as rule def/(short), and I

meaning of pflog / tcpdump output

Hi! Another really stupid question - is the full output format of tcpdump when dumping the pflog0 device documented somewhere? I am getting a fair bit of log lines that are shown as rule def/(short), and I can't find anything explaining the meaning of things like (short) - the tcpdump man page

Re: meaning of pflog / tcpdump output

Another really stupid question - is the full output format of tcpdump when dumping the pflog0 device documented somewhere? I am getting a fair bit of log lines that are shown as rule def/(short), and I can't find anything explaining the meaning of things like (short) - the tcpdump man page

Re: meaning of pflog / tcpdump output

Matteo, all you need is at http://www.openbsd.org/cgi-bin/man.cgi?query=tcpdumpapropos=0sektion=0manpath=OpenBSD+Currentarch=i386format=html Thanks, but as I wrote: I am getting a fair bit of log lines that are shown as rule def/(short), and I can't find anything explaining the meaning

Re: meaning of pflog / tcpdump output

On Sat, Jan 22, 2011 at 10:38 AM, matteo filippetto matteo.filippe...@gmail.com wrote: the meaning of things like (short) - the tcpdump man page only lists short as one of the possible values, without explaining what it means.

pflog issues on -current

Hello, Running amd64 GENERIC.MP -current. Started seeing truncated entries in pflog like this: == ...rule 42/(match) block out on em0: [|ip] == They seemed to start after the last build to -current where this got logged

match nat-to pass rule combination pflog output Clarification

Hi, I have these rules for the interface vr1 match out on vr1 inet from 172.16.0.0/12 to any nat-to (vr1) round-robin pass in log (all, to pflog1) quick on vr0 inet from tataips to any flags S/SA keep state label route-to 122.247.14...@vr1 pass out log (all, to pflog3) quick on vr1 all flags

igmp packets in pflog

Hi, I have a (bridging) Firewall with OpenBSD 4.6 stable. In /var/log/pflog I can see many igmp-packets. But I have no log statement for these types of connections in my pf.conf. I have only a log statement for some other hosts (with a different IP). Are igmp packets always logged? Regards Reni

Re: igmp packets in pflog

On Tue, Oct 27, 2009 at 02:25:03PM +0100, Rene Maroufi wrote: Hi, I have a (bridging) Firewall with OpenBSD 4.6 stable. In /var/log/pflog I can see many igmp-packets. But I have no log statement for these types of connections in my pf.conf. I have only a log statement for some other hosts

pflog problem on a bridging firewall

Hi, I've a problem with logging packets in bridging mode with pf under -current. My setup is a machine with em2 ad em3 interfaces in a bridge (no IP address), witth a ruleset that looks like: ---cut--- admif=em0 table laas const { } table administrees const { } table rfc1918 const {

Interpreting strange pflog output

. While monitoring the pflog output, I occasionally see output that looks like this: Apr 24 09:49:46.420762 rule 150/(match) pass in on fxp1: 107.6.96.0 73.243.0.0: at-#0 18 Apr 24 09:49:46.420851 rule 150/(match) pass in on fxp1: 108.6.96.0 73.37.0.0: at-#0 21 Apr 24 09:49:46.420901 rule 150

Re: Interpreting strange pflog output

On Fri, Apr 24, 2009 at 7:53 AM, Aner Perez a...@ncstech.com wrote: ... While monitoring the pflog output, I occasionally see output that looks like this: Apr 24 09:49:46.420762 rule 150/(match) pass in on fxp1: 107.6.96.0 73.243.0.0: at-#0 18 Apr 24 09:49:46.420851 rule 150/(match) pass

Re: pflog filling up /var mount every 2-3 days!

Jake Conk wrote: I have to keep coming here each couple of days to check if that is full and delete them. My question is, is this normal and I just created my /var mount too small? I think the fact that my pflog is that big is the actual problem, does anyone know of a way to fix this? Well

Re: pflog filling up /var mount every 2-3 days!

Jake Conk P=P0P?P8Q
P0: Hello, I have my /var partitioned out to be 150mb which I thought was a enough but every 2-3 days it gets full because I end up with a pflog file that is ridiculously large! Right now I have one that is 53.6mb and I have gotten them larger like 100mb +!! Because

pflog filling up /var mount every 2-3 days!

Hello, I have my /var partitioned out to be 150mb which I thought was a enough but every 2-3 days it gets full because I end up with a pflog file that is ridiculously large! Right now I have one that is 53.6mb and I have gotten them larger like 100mb +!! Because of this my /var partition fills up

Re: pflog filling up /var mount every 2-3 days!

On Fri, 30 Nov 2007, Jake Conk wrote: Hello, I have my /var partitioned out to be 150mb which I thought was a You're probably getting a lot of log hits on a default block log all at the end of your rules. You can prevent a lot of crud by doing block quicks w/o log statements for the

Re: pflog filling up /var mount every 2-3 days!

On Nov 30, 2007 7:47 PM, NetOne - Doichin Dokov [EMAIL PROTECTED] wrote: Jake Conk P=P0P?P8Q P0: Hello, I have my /var partitioned out to be 150mb which I thought was a enough but every 2-3 days it gets full because I end up with a pflog file that is ridiculously large! Right now I

Re: pflog filling up /var mount every 2-3 days!

On 1/12/2007, at 7:23 PM, Jake Conk wrote: Thanks guys for your replies... I'll try to cut down on the all the useless logging I'm doing but when I opened the log files up to see what was inside them I only saw all this binary stuff. I assume thats not what's supposed to be in the pflogs right?

Re: pflog filling up /var mount every 2-3 days!

binary stuff in the logs? I guess this show you just don't need to log things here as you never read them. man(8) pflogd Display binary logs: # tcpdump -n -e -ttt -r /var/log/pflog And go read the faq on openbsd.org. They are a very big source of informations. It's all

Re: pflog filling up /var mount every 2-3 days!

that it is good idea to keep all the the information of pflog files. So, you have several ways to solve this problem: 1) Make a directory on some bigger partition and setup newsyslog by editing /etc/newsyslog.conf to store archieved logs in that folder. 2) Move log folder to some bigger

question about multiple pflog interfaces on openbsd 4.1

Hi all, I have tried to setup a new pflog interface to monitor ipsec traffic and it works ok. Afterwards I have setup another pflogd daemon to store logs on another pcap file under /var/log. But I have one question: how do i to configure newsyslog.conf entry for this new pflogd daemon? If I

Re: PFlog

On Mon, Apr 10, 2006 at 09:27:53PM +0100, Gaby vanhegan wrote: On 10 Apr 2006, at 17:29, Joachim Schipper wrote: The only problem here is that I'm running 3.6 and pmacct requires libpcap = 0.6, and 0.3 is what I have. I can't do an upgrade at the moment, there's too many variables, but

Re: PFlog

On 9 Apr 2006, at 18:55, Gaby vanhegan wrote: And the winner is: pmacct. The only problem here is that I'm running 3.6 and pmacct requires libpcap = 0.6, and 0.3 is what I have. I can't do an upgrade at the moment, there's too many variables, but if I were to build libpcap from source,

Re: PFlog

On Mon, Apr 10, 2006 at 03:05:19PM +0100, Gaby vanhegan wrote: On 9 Apr 2006, at 18:55, Gaby vanhegan wrote: And the winner is: pmacct. The only problem here is that I'm running 3.6 and pmacct requires libpcap = 0.6, and 0.3 is what I have. I can't do an upgrade at the moment,

Re: PFlog

On 10 Apr 2006, at 17:29, Joachim Schipper wrote: The only problem here is that I'm running 3.6 and pmacct requires libpcap = 0.6, and 0.3 is what I have. I can't do an upgrade at the moment, there's too many variables, but if I were to build libpcap from source, would it clobber the version

PFlog

/var/log/pflog is filling up nicely. Taking a few sample lines from the output of: # tcpdump -n -r /var/log/pflog 13:35:07.985465 220.135.151.10.1254 195.224.72.148.25: S 108231586:108231586(0) win 65535 mss 1300,nop,nop,sackOK (DF) 13:35:08.384197 195.224.72.148.59258

Re: PFlog

for years. The mailing archive suggested IPAudit, but I'd rather use native tools if I can. Would pmacct help in this scenario? http://www.pmacct.org/ Not sure whether it could be configured to listen to pflog though. -- Andrew Veitch mailto:[EMAIL PROTECTED]http://erkle.org/

Re: PFlog

On 9 Apr 2006, at 14:10, Andrew Veitch wrote: Would pmacct help in this scenario? http://www.pmacct.org/ Not sure whether it could be configured to listen to pflog though. The thing with pflog is that I can't see which field (if any) is the packet size, which is what I'm interested in. I'm

Re: PFlog

On Sun, 9 Apr 2006, Gaby vanhegan wrote: I'm trying to log how much of which protocol eats what amount of my bandwidth, both inbound and outbound. While I haven't used it in that fashion, I believe that this problem is one of the things pmacct was designed to solve. See page 17 of

Re: PFlog

on. I have pf logging the traffic that I want to account for so /var/log/pflog is filling up nicely. Taking a few sample lines from the output of: # tcpdump -n -r /var/log/pflog 13:35:07.985465 220.135.151.10.1254 195.224.72.148.25: S 108231586:108231586(0) win 65535 mss

Re: PFlog

On 2006/04/09 14:17, Gaby vanhegan wrote: On 9 Apr 2006, at 14:10, Andrew Veitch wrote: Would pmacct help in this scenario? http://www.pmacct.org/ Not sure whether it could be configured to listen to pflog though. The thing with pflog is that I can't see which field (if any

Re: PFlog

On 9 Apr 2006, at 15:26, Stuart Henderson wrote: The thing with pflog is that I can't see which field (if any) is the packet size, which is what I'm interested in. I'm trying to log how much of which protocol eats what amount of my bandwidth, both inbound and outbound. Are the 'pfctl -sr -v

Re: PFlog

On Sun, Apr 09, 2006 at 04:28:58PM +0100, Gaby vanhegan wrote: On 9 Apr 2006, at 15:26, Stuart Henderson wrote: The thing with pflog is that I can't see which field (if any) is the packet size, which is what I'm interested in. I'm trying to log how much of which protocol eats what amount

Re: PFlog

And the winner is: pmacct. This one is really quick and simple to put together, five minutes and a configuration file later and I'm logging all traffic on all ports in 10 minute time slices, broken down by source, destination, MAC, port, etc. It also contains actual amounts of traffic

pflog gets no data

Hi, I want to log some pf-rules via pflog but unfortunately simply nothing gets logged although I think I did the correct steps: - created rules that include something like 'pass in log (all) on...' (actually the rules themselves work and let packets pass) - ifconfig up pflog0 ('ifconfig

Re: pflog gets no data

[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote on : Hi, I want to log some pf-rules via pflog but unfortunately simply nothing gets logged although I think I did the correct steps: - created rules that include something like 'pass in log (all) on...' (actually the rules themselves

Re: pflog gets no data

Am Freitag, den 17.03.2006, 10:58 +0100 schrieb Mark Prins: Hi, set loginterface ? Wasn't configured, right. So I did this with the correct interface but still the same problem. But thanks a lot for your hint! Maybe this has nothing to do with my pflog-problem but I also don't understand why

/var/log/pflog empty

/* are also the same for all of them. Just one is not getting anything in pflog. pflogd is running. ps auxwww says: _pflogd 14121 0.0 0.1 640 244 ?? S 15Feb060:21.15 pflogd: [running] -s 116 -f /var/log/pflog (pflogd) There are rules like: block return-icmp in log quick from ssh-scan

Re: /var/log/pflog empty

modifications of a template one with just the LAN IPs changing. The changes in /etc/* are also the same for all of them. Just one is not getting anything in pflog. pflogd is running. Is there an empty /var/log/pflog, or *no* /var/log/pflog? (just guessing) Empty. It had 24 bytes

Re: /var/log/pflog empty

are pretty much modifications of a template one with just the LAN IPs changing. The changes in /etc/* are also the same for all of them. Just one is not getting anything in pflog. pflogd is running. Is there an empty /var/log/pflog, or *no* /var/log/pflog? (just guessing) Empty

Re: /var/log/pflog empty

replies to outbound) is ssh. The pf.confs are pretty much modifications of a template one with just the LAN IPs changing. The changes in /etc/* are also the same for all of them. Just one is not getting anything in pflog. pflogd is running. Is there an empty /var/log

Re: tcpdump, rulenum, and pflog

of tcpdump's filter criteria, which works on packets logged by pf(4). I know that if I simply enable logging on all of the packets I want to see, using pf-based tcpdump filter criteria works like a charm. The problem I have is that doing so will make for a rather gigantic /var/log/pflog very quickly

Re: tcpdump, rulenum, and pflog

works on packets logged by pf(4). I know that if I simply enable logging on all of the packets I want to see, using pf-based tcpdump filter criteria works like a charm. The problem I have is that doing so will make for a rather gigantic /var/log/pflog very quickly, a situation I'd like

tcpdump, rulenum, and pflog

on all of the packets I want to see, using pf-based tcpdump filter criteria works like a charm. The problem I have is that doing so will make for a rather gigantic /var/log/pflog very quickly, a situation I'd like to avoid if possible (for disk space and possible performance issues). Thus, my

  1   2   >