From owner-freebsd-security@FreeBSD.ORG  Wed May 28 13:40:05 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6DD3837B401
	for <security@freebsd.org>; Wed, 28 May 2003 13:40:05 -0700 (PDT)
Received: from relay1.ntu-kpi.kiev.ua (oberon.ntu-kpi.kiev.ua
	[195.245.194.35])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D397C43FA3
	for <security@freebsd.org>; Wed, 28 May 2003 13:40:01 -0700 (PDT)
	(envelope-from taren@el.ntu-kpi.kiev.ua)
Received: by relay1.ntu-kpi.kiev.ua (Postfix, from userid 426)
	id 83C6A1A128; Wed, 28 May 2003 23:39:56 +0300 (EEST)
Received: from doppelganger.el.ntu-kpi.kiev.ua
	(doppelganger.el.ntu-kpi.kiev.ua [10.2.16.2])
	by relay1.ntu-kpi.kiev.ua (Postfix) with ESMTP
	id DFBA31A10A; Wed, 28 May 2003 23:39:55 +0300 (EEST)
Received: by doppelganger.el.ntu-kpi.kiev.ua (Postfix, from userid 1001)
	id 10A261BAE8; Wed, 28 May 2003 23:39:55 +0300 (EEST)
Received: from localhost (localhost [127.0.0.1])
	by doppelganger.el.ntu-kpi.kiev.ua (Postfix) with ESMTP
	id E428D1BAE7; Wed, 28 May 2003 23:39:54 +0300 (EEST)
Date: Wed, 28 May 2003 23:39:54 +0300 (EEST)
From: "Taras Y. NIZHNIK" <taren@el.ntu-kpi.kiev.ua>
To: "Simon L. Nielsen" <simon@nitro.dk>
In-Reply-To: <20030528201417.GA3741@nitro.dk>
Message-ID: <20030528233144.R52694-100000@doppelganger.el.ntu-kpi.kiev.ua>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: security@freebsd.org
Subject: Re: FW: Question about logging.
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 28 May 2003 20:40:05 -0000

On Wed, 28 May 2003, Simon L. Nielsen wrote:
> > > I think you can use something like this in syslog.conf (untested) :
> > >
> > > !-ipfw
> > > *.err;kern.debug;auth.notice;mail.crit          /dev/console
> > This would match log entries generated by a userland application named
> > 'ipfw'.  The ipfw log lines are, however, generated by the *kernel*, and
> > they would never match this rule.
> Ehh, I have the following in my syslog.conf, and it works just fine :
>
> !ipfw
> *.*                                             /var/log/ipfw.log
>
> I only get lines like :
> May 20 02:16:28 arthur /kernel: ipfw: 65300 Deny UDP 192.168.3.2:53 192.168.2.3:49239 in via xl0
> in var/log/ipfw.log
>
> I guess it shouldn't work, but it does :-)
Why do you think it should not?

"man 5 syslog.conf" says, that it *should* work:

<cite>

A program specification for `foo' will also match any message logged by
the kernel with the prefix `foo: '.

</cite>

So, if you have no running program, named "ipfw", which logs to syslogd,
the only messages logged to /var/log/ipfw.log will be messages from
"/kernel: ipfw:"

-- 

Taras Y. NIZHNIK, AKA Taren, XN7211-XTF, TYN-UANIC, TYN1-RIPE