Question about redirecting to a multiple log files from pflogd

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Question about redirecting to a multiple log files from pflogd

C. L. Martinez
Hi all,

 I have some rules that I would like to redirect in syslog format to a
log file. I don't need to touch /var/log/pflog. To accomplish this I
have tried to start pflogd daemon with the following options:

 "-s 256 -i pflog0 -f /var/log/pflog -i pflog1 -f /tmp/test.log"

 ... but it doesn't works. After, I have tried to start another pflogd
instance with "-s 256 -i pflog1 -f /tmp/test.log":

25317 ??  S       0:49.58 pflogd: [running] -s 256 -i pflog1 -f
/tmp/test.log (pflogd)
13851 ??  Ss      0:00.23 ntpd: ntp engine (ntpd)
16445 ??  Is      0:00.03 ntpd: dns engine (ntpd)
11227 ??  Ss      0:00.02 ntpd: [priv] (ntpd)
21752 ??  Is      0:00.05 /usr/sbin/sshd
14014 ??  Ss      0:00.30 sendmail: accepting connections (sendmail)
14724 ??  Is      0:00.01 /usr/sbin/ftp-proxy
14277 ??  Ss      0:00.04 /usr/sbin/cron
11070 ??  Ss      0:35.46 sshd: root@ttyp0 (sshd)
18112 ??  Is      0:00.01 pflogd: [priv] (pflogd)
14997 ??  S       0:01.08 pflogd: [running] -s 256 -i pflog0 -f
/var/log/pflog (pflogd)

 .. but it doesn't works. /var/log/pflog doesn't register activitvy
(pflog0 and pflog1 interfaces are up)

 At this stage, I only to need to try if this approach works using
tcpdump file format in both log files ...

 Is it possible to use several pflogX interfaces an redirect all logs
to several log files?? I am using OpenBSD 5.1

Thanks.

Reply | Threaded
Open this post in threaded view
|

Re: Question about redirecting to a multiple log files from pflogd

C. L. Martinez
On Tue, Aug 14, 2012 at 10:00 AM, C. L. Martinez <[hidden email]> wrote:

> Hi all,
>
>  I have some rules that I would like to redirect in syslog format to a
> log file. I don't need to touch /var/log/pflog. To accomplish this I
> have tried to start pflogd daemon with the following options:
>
>  "-s 256 -i pflog0 -f /var/log/pflog -i pflog1 -f /tmp/test.log"
>
>  ... but it doesn't works. After, I have tried to start another pflogd
> instance with "-s 256 -i pflog1 -f /tmp/test.log":
>
> 25317 ??  S       0:49.58 pflogd: [running] -s 256 -i pflog1 -f
> /tmp/test.log (pflogd)
> 13851 ??  Ss      0:00.23 ntpd: ntp engine (ntpd)
> 16445 ??  Is      0:00.03 ntpd: dns engine (ntpd)
> 11227 ??  Ss      0:00.02 ntpd: [priv] (ntpd)
> 21752 ??  Is      0:00.05 /usr/sbin/sshd
> 14014 ??  Ss      0:00.30 sendmail: accepting connections (sendmail)
> 14724 ??  Is      0:00.01 /usr/sbin/ftp-proxy
> 14277 ??  Ss      0:00.04 /usr/sbin/cron
> 11070 ??  Ss      0:35.46 sshd: root@ttyp0 (sshd)
> 18112 ??  Is      0:00.01 pflogd: [priv] (pflogd)
> 14997 ??  S       0:01.08 pflogd: [running] -s 256 -i pflog0 -f
> /var/log/pflog (pflogd)
>
>  .. but it doesn't works. /var/log/pflog doesn't register activitvy
> (pflog0 and pflog1 interfaces are up)
>
>  At this stage, I only to need to try if this approach works using
> tcpdump file format in both log files ...
>
>  Is it possible to use several pflogX interfaces an redirect all logs
> to several log files?? I am using OpenBSD 5.1
>
> Thanks.

Please, any tip??

Reply | Threaded
Open this post in threaded view
|

Re: Question about redirecting to a multiple log files from pflogd

Marcus MERIGHI
[hidden email] (C. L. Martinez), 2012.08.15 (Wed) 20:20 (CEST):
> On Tue, Aug 14, 2012 at 10:00 AM, C. L. Martinez <[hidden email]>
wrote:

> > Hi all,
> >
> >  I have some rules that I would like to redirect in syslog format to a
> > log file. I don't need to touch /var/log/pflog. To accomplish this I
> > have tried to start pflogd daemon with the following options:
> >
> >  "-s 256 -i pflog0 -f /var/log/pflog -i pflog1 -f /tmp/test.log"
> >
> >  ... but it doesn't works. After, I have tried to start another pflogd
> > instance with "-s 256 -i pflog1 -f /tmp/test.log":
> >
> > 25317 ??  S       0:49.58 pflogd: [running] -s 256 -i pflog1 -f
> > /tmp/test.log (pflogd)
> > 13851 ??  Ss      0:00.23 ntpd: ntp engine (ntpd)
> > 16445 ??  Is      0:00.03 ntpd: dns engine (ntpd)
> > 11227 ??  Ss      0:00.02 ntpd: [priv] (ntpd)
> > 21752 ??  Is      0:00.05 /usr/sbin/sshd
> > 14014 ??  Ss      0:00.30 sendmail: accepting connections (sendmail)
> > 14724 ??  Is      0:00.01 /usr/sbin/ftp-proxy
> > 14277 ??  Ss      0:00.04 /usr/sbin/cron
> > 11070 ??  Ss      0:35.46 sshd: root@ttyp0 (sshd)
> > 18112 ??  Is      0:00.01 pflogd: [priv] (pflogd)
> > 14997 ??  S       0:01.08 pflogd: [running] -s 256 -i pflog0 -f
> > /var/log/pflog (pflogd)
> >
> >  .. but it doesn't works. /var/log/pflog doesn't register activitvy
> > (pflog0 and pflog1 interfaces are up)
> >
> >  At this stage, I only to need to try if this approach works using
> > tcpdump file format in both log files ...
> >
> >  Is it possible to use several pflogX interfaces an redirect all logs
> > to several log files?? I am using OpenBSD 5.1
> >
> > Thanks.
>
> Please, any tip??

I'm not completely sure I understand what you want: is your log file
supposed to contain tcpdump(8) binary format or the format resulting
from tcpdump -r <file> or tcpdump -i pflogX?

anyway, I use the following to get tcpdump -i pflogX to syslog:

#!/bin/sh -e
ifconfig pflog0 > /dev/null 2>&1 || sudo ifconfig pflog0 create up
logger -p local1.notice -t pflog |&
logger_pid=${!}
exec 5<&p 6>&p
exec 1>&6
exec /usr/sbin/tcpdump -qtvneli pflog0 2>&1 &

bye, Marcus

> !DSPAM:502be9f9135391644713982!

Reply | Threaded
Open this post in threaded view
|

Re: Question about redirecting to a multiple log files from pflogd

C. L. Martinez
On Thu, Aug 16, 2012 at 11:41 AM, MERIGHI Marcus <[hidden email]> wrote:

> [hidden email] (C. L. Martinez), 2012.08.15 (Wed) 20:20 (CEST):
>> On Tue, Aug 14, 2012 at 10:00 AM, C. L. Martinez <[hidden email]> wrote:
>> > Hi all,
>> >
>> >  I have some rules that I would like to redirect in syslog format to a
>> > log file. I don't need to touch /var/log/pflog. To accomplish this I
>> > have tried to start pflogd daemon with the following options:
>> >
>> >  "-s 256 -i pflog0 -f /var/log/pflog -i pflog1 -f /tmp/test.log"
>> >
>> >  ... but it doesn't works. After, I have tried to start another pflogd
>> > instance with "-s 256 -i pflog1 -f /tmp/test.log":
>> >
>> > 25317 ??  S       0:49.58 pflogd: [running] -s 256 -i pflog1 -f
>> > /tmp/test.log (pflogd)
>> > 13851 ??  Ss      0:00.23 ntpd: ntp engine (ntpd)
>> > 16445 ??  Is      0:00.03 ntpd: dns engine (ntpd)
>> > 11227 ??  Ss      0:00.02 ntpd: [priv] (ntpd)
>> > 21752 ??  Is      0:00.05 /usr/sbin/sshd
>> > 14014 ??  Ss      0:00.30 sendmail: accepting connections (sendmail)
>> > 14724 ??  Is      0:00.01 /usr/sbin/ftp-proxy
>> > 14277 ??  Ss      0:00.04 /usr/sbin/cron
>> > 11070 ??  Ss      0:35.46 sshd: root@ttyp0 (sshd)
>> > 18112 ??  Is      0:00.01 pflogd: [priv] (pflogd)
>> > 14997 ??  S       0:01.08 pflogd: [running] -s 256 -i pflog0 -f
>> > /var/log/pflog (pflogd)
>> >
>> >  .. but it doesn't works. /var/log/pflog doesn't register activitvy
>> > (pflog0 and pflog1 interfaces are up)
>> >
>> >  At this stage, I only to need to try if this approach works using
>> > tcpdump file format in both log files ...
>> >
>> >  Is it possible to use several pflogX interfaces an redirect all logs
>> > to several log files?? I am using OpenBSD 5.1
>> >
>> > Thanks.
>>
>> Please, any tip??
>
> I'm not completely sure I understand what you want: is your log file
> supposed to contain tcpdump(8) binary format or the format resulting
> from tcpdump -r <file> or tcpdump -i pflogX?
>
> anyway, I use the following to get tcpdump -i pflogX to syslog:
>
> #!/bin/sh -e
> ifconfig pflog0 > /dev/null 2>&1 || sudo ifconfig pflog0 create up
> logger -p local1.notice -t pflog |&
> logger_pid=${!}
> exec 5<&p 6>&p
> exec 1>&6
> exec /usr/sbin/tcpdump -qtvneli pflog0 2>&1 &
>
> bye, Marcus
>

Thanks Marcus, that is my second phase. At this moment, I need to use
different pflog's file names (and different pflogX interfaces) for
some rules, here is on I have problems ....

Reply | Threaded
Open this post in threaded view
|

Re: Question about redirecting to a multiple log files from pflogd

Stuart Henderson
In reply to this post by C. L. Martinez
On 2012-08-14, C. L. Martinez <[hidden email]> wrote:
> Hi all,
>
>  I have some rules that I would like to redirect in syslog format to a
> log file. I don't need to touch /var/log/pflog. To accomplish this I
> have tried to start pflogd daemon with the following options:
>
>  "-s 256 -i pflog0 -f /var/log/pflog -i pflog1 -f /tmp/test.log"

I don't believe a single pflogd process can run on multiple interfaces,
I think you would need to run a second process for pflog1.

>  ... but it doesn't works. After, I have tried to start another pflogd
> instance with "-s 256 -i pflog1 -f /tmp/test.log":
>
> 25317 ??  S       0:49.58 pflogd: [running] -s 256 -i pflog1 -f
> /tmp/test.log (pflogd)
> 13851 ??  Ss      0:00.23 ntpd: ntp engine (ntpd)
> 16445 ??  Is      0:00.03 ntpd: dns engine (ntpd)
> 11227 ??  Ss      0:00.02 ntpd: [priv] (ntpd)
> 21752 ??  Is      0:00.05 /usr/sbin/sshd
> 14014 ??  Ss      0:00.30 sendmail: accepting connections (sendmail)
> 14724 ??  Is      0:00.01 /usr/sbin/ftp-proxy
> 14277 ??  Ss      0:00.04 /usr/sbin/cron
> 11070 ??  Ss      0:35.46 sshd: root@ttyp0 (sshd)
> 18112 ??  Is      0:00.01 pflogd: [priv] (pflogd)
> 14997 ??  S       0:01.08 pflogd: [running] -s 256 -i pflog0 -f
> /var/log/pflog (pflogd)
>
>  .. but it doesn't works. /var/log/pflog doesn't register activitvy
> (pflog0 and pflog1 interfaces are up)

Do you have PF rules causing writes to go to the relevant pflog interface?

Do you see anything with tcpdump -neipflog0 / tcpdump -neipflog1?

Reply | Threaded
Open this post in threaded view
|

Re: Question about redirecting to a multiple log files from pflogd

C. L. Martinez
On Sun, Aug 19, 2012 at 12:25 PM, Stuart Henderson <[hidden email]> wrote:

> On 2012-08-14, C. L. Martinez <[hidden email]> wrote:
>> Hi all,
>>
>>  I have some rules that I would like to redirect in syslog format to a
>> log file. I don't need to touch /var/log/pflog. To accomplish this I
>> have tried to start pflogd daemon with the following options:
>>
>>  "-s 256 -i pflog0 -f /var/log/pflog -i pflog1 -f /tmp/test.log"
>
> I don't believe a single pflogd process can run on multiple interfaces,
> I think you would need to run a second process for pflog1.
>
>>  ... but it doesn't works. After, I have tried to start another pflogd
>> instance with "-s 256 -i pflog1 -f /tmp/test.log":
>>
>> 25317 ??  S       0:49.58 pflogd: [running] -s 256 -i pflog1 -f
>> /tmp/test.log (pflogd)
>> 13851 ??  Ss      0:00.23 ntpd: ntp engine (ntpd)
>> 16445 ??  Is      0:00.03 ntpd: dns engine (ntpd)
>> 11227 ??  Ss      0:00.02 ntpd: [priv] (ntpd)
>> 21752 ??  Is      0:00.05 /usr/sbin/sshd
>> 14014 ??  Ss      0:00.30 sendmail: accepting connections (sendmail)
>> 14724 ??  Is      0:00.01 /usr/sbin/ftp-proxy
>> 14277 ??  Ss      0:00.04 /usr/sbin/cron
>> 11070 ??  Ss      0:35.46 sshd: root@ttyp0 (sshd)
>> 18112 ??  Is      0:00.01 pflogd: [priv] (pflogd)
>> 14997 ??  S       0:01.08 pflogd: [running] -s 256 -i pflog0 -f
>> /var/log/pflog (pflogd)
>>
>>  .. but it doesn't works. /var/log/pflog doesn't register activitvy
>> (pflog0 and pflog1 interfaces are up)
>
> Do you have PF rules causing writes to go to the relevant pflog interface?

Yes, I have two rules that redirects logs to pflog1 using (log all, to
pflog1) ...

>
> Do you see anything with tcpdump -neipflog0 / tcpdump -neipflog1?

Yes I see logs in this interface (pflog1) and in on pflog0. At
interface level all it is correct, problem is with /var/log/pflog log
file. It doesn't register nothing ...