Date: Wed, 27 Feb 2008 12:53:01 +0000 From: Anton Shterenlikht <mexas@bristol.ac.uk> To: Mel <fbsd.questions@rachie.is-a-geek.net> Cc: freebsd-questions@freebsd.org Subject: Re: SOLVED: Re: IPMON log to syslog doesn't work Message-ID: <20080227125301.GA82852@mech-aslap33.men.bris.ac.uk> In-Reply-To: <200802261826.23184.fbsd.questions@rachie.is-a-geek.net> References: <20080226132032.GA86468@mech-aslap33.men.bris.ac.uk> <20080226150113.GA87235@mech-aslap33.men.bris.ac.uk> <20080226163127.GA88231@mech-aslap33.men.bris.ac.uk> <200802261826.23184.fbsd.questions@rachie.is-a-geek.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Feb 26, 2008 at 06:26:22PM +0100, Mel wrote: > On Tuesday 26 February 2008 17:31:27 Anton Shterenlikht wrote: > > On Tue, Feb 26, 2008 at 03:01:13PM +0000, Anton Shterenlikht wrote: > > > On Tue, Feb 26, 2008 at 03:42:51PM +0100, Mel wrote: > > > > On Tuesday 26 February 2008 15:25:37 Anton Shterenlikht wrote: > > > > > On Tue, Feb 26, 2008 at 03:09:14PM +0100, Mel wrote: > > > > > > On Tuesday 26 February 2008 14:20:32 Anton Shterenlikht wrote: > > > > > > > I'm trying to troubleshoot my ipfilter firewall, and I cannot get > > > > > > > any log data, i.e. /var/log/ipfilter.log is empty. > > > > I solved it following the IPF FAQ: > > http://www.phildev.net/ipf/IPFipmon.html#ipmon1 > > > > Q. I have IPMon logging to syslog, but syslog doesn't > > log anything, why not? > > > > A. IPF logs as local0 so you'll want something to the effect of: > > local0.debug /var/log/ipf.log in your syslog.conf. > > NOTE: There has to be atleast one TAB in that line, not just spaces. > > > > so I changed "security.*" to "local0.*" in /etc/syslog.conf: > > > > # grep local0 /etc/syslog.conf > > local0.* /var/log/ipfilter.log > > # > > > > and now I have (lots) of logs in the log file: > > > > # tail -2 /var/log/ipfilter.log > > Feb 26 16:20:05 mech-cluster238 ipmon[24166]: 16:20:05.248083 2x dc0 @0:20 > > b 137 .222.187.85,137 -> 137.222.187.255,137 PR udp len 20 78 IN broadcast > > Feb 26 16:20:07 mech-cluster238 ipmon[24166]: 16:20:06.876597 dc0 @0:21 b > > 137.22 2.187.10,138 -> 137.222.187.255,138 PR udp len 20 212 IN broadcast # > > > > # ls -al /var/log/ipfilter.log > > -rw-r----- 1 root wheel 74889 26 Feb 16:21 /var/log/ipfilter.log > > # > > > > But now I wonder if the FBSD handbook has an error in section > > 28.5.7 IPMON Logging: > > > > "Add the following statement to /etc/syslog.conf: > > security.* /var/log/ipfilter.log > > > > The security.* means to write all the logged > > messages to the coded file" > > > > Shall I submit this as a manual error, or is it more complex? > > I was just looking at that. The weird thing is the following: > http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/ipfilter/tools/ipmon.c?rev=1.4.2.2 > #ifndef LOGFAC > #define LOGFAC LOG_LOCAL0 > #endif > > In the contrib/ipfilter/Makefile it is set to security, but...freebsd builds > with src/sbin/ipf/ipmon and there it is indeed LOG_LOCAL0. > > So either you could request docfix or Makefile fix. There's probably a reason > why it's set hardcoded like that to LOG_LOCAL0. I reported this handbook error to the freebsd-doc list. I also noted that the ipmon man page does say that the default facility is local0, but it can be changed with -L <facility>. I tried this but it doesn't seem to work: # ps ax|grep ipmon 27199 ?? Ss 0:00.11 /sbin/ipmon -sDn -L security 27245 p0 R+ 0:00.01 grep ipmon # so it is working, but no new messages appear in the log. With local0 I get several messages a minute. -- Anton Shterenlikht Room 2.6, Queen's Building Mech Eng Dept Bristol University University Walk, Bristol BS8 1TR, UK Tel: +44 (0)117 928 8233 Fax: +44 (0)117 929 4423
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080227125301.GA82852>