From owner-freebsd-questions@FreeBSD.ORG Sun May 15 00:06:12 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 64CB416A4CE for ; Sun, 15 May 2005 00:06:12 +0000 (GMT) Received: from mta11.adelphia.net (mta11.adelphia.net [68.168.78.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id DA34E43D49 for ; Sun, 15 May 2005 00:06:11 +0000 (GMT) (envelope-from parv@pair.com) Received: from default.chvlva.adelphia.net ([69.160.65.223]) by mta11.adelphia.netESMTP <20050515000611.DAFD13270.mta11.adelphia.net@default.chvlva.adelphia.net>; Sat, 14 May 2005 20:06:11 -0400 Received: by default.chvlva.adelphia.net (Postfix, from userid 1000) id CA5FAB4FC; Sat, 14 May 2005 20:06:14 -0400 (EDT) Date: Sat, 14 May 2005 20:06:14 -0400 From: Parv To: Per Berger Message-ID: <20050515000614.GA9332@holestein.holy.cow> Mail-Followup-To: Per Berger , FreeBSD questions References: <4285EEDF.4070902@stortsett.se> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4285EEDF.4070902@stortsett.se> cc: FreeBSD questions Subject: Re: ipfilter and logging... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: f-q List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 May 2005 00:06:12 -0000 in message <4285EEDF.4070902@stortsett.se>, wrote Per Berger thusly... > > The handbook says that I can add "security.*" in syslog.conf and > specify a logfile to log the firewall. But there is already an > entry in syslog.conf "security.*" from install ( I am running > 5.4-RELEASE upgraded from 5.3 via cvsup (which worked great > btw...)) pointing at /var/log/security. And all logging goes to > /var/log/security. But at least some of it goes also to > /var/log/messages; seems to be the "final" rules that goes there, > i.e. such as "block in log first quick on fxp0 all". (reformatted the syslog.conf entries) > *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages ^ ^ ^ ^ ^ ^ ^ ^ > security.* /var/log/security According to above entries & ipmon(8) man page ... -s Packet information read in will be sent through syslogd rather than saved to a file. The default facility when compiled and installed is security. The following levels are used: LOG_INFO - packets logged using the "log" keyword as the action rather than pass or block. LOG_NOTICE - packets logged which are also passed LOG_WARNING - packets logged which are also blocked LOG_ERR - packets which have been logged and which can be considered "short" ... only "pass" directives will/should be logged to "messages", *in addition to* also being logged in "security". "block" directives will only be logged in "security". > Now for my question. I do really want a separate log file for > ipfilter. How would a change syslog.conf to separate out the > ipfilter logs from the rest without breaking any other logging? Specify a file to ipmon(8) to log messages into via option "-D"; remove traces of ipf(8) activity from /etc/syslog.conf except as noted below. Update /etc/newsyslog.conf(5) to have the ipf log file rotated as you desire. In order to avoid to specify the option & file name manually each time you start your system, add something like the following to your /etc/rc.conf ... ipmon_enable="YES" ipmon_flags="-D /var/log/ipf.log" > how do I change the line for /var/log/messages so that no ipfilter > stuff goes there without breaking something else? Read syslog.conf(5) man page, especially the part about log levels. After reading that, in the "/var/log/messages" column, change the level of facility "security" from "*" to "none". - Parv --