From owner-freebsd-questions  Sat Feb 27 16:25:32 1999
Delivered-To: freebsd-questions@freebsd.org
Received: from allegro.lemis.com (allegro.lemis.com [192.109.197.134])
	by hub.freebsd.org (Postfix) with ESMTP id BC54F1503B
	for <freebsd-questions@FreeBSD.ORG>; Sat, 27 Feb 1999 16:25:26 -0800 (PST)
	(envelope-from grog@freebie.lemis.com)
Received: from freebie.lemis.com (freebie.lemis.com [192.109.197.137])
	by allegro.lemis.com (8.9.1/8.9.0) with ESMTP id KAA12816;
	Sun, 28 Feb 1999 10:55:07 +1030 (CST)
Received: (from grog@localhost)
	by freebie.lemis.com (8.9.3/8.9.0) id KAA10047;
	Sun, 28 Feb 1999 10:55:00 +1030 (CST)
Message-ID: <19990228105459.R7279@lemis.com>
Date: Sun, 28 Feb 1999 10:54:59 +1030
From: Greg Lehey <grog@lemis.com>
To: Jason Andrew Godfrey <godfreja@acm.cs.uwec.edu>,
	freebsd-questions@FreeBSD.ORG
Subject: Re: syslog config question
References: <Pine.LNX.4.04.9902262234300.21881-100000@dalamar.cs.uwec.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <Pine.LNX.4.04.9902262234300.21881-100000@dalamar.cs.uwec.edu>; from Jason Andrew Godfrey on Fri, Feb 26, 1999 at 10:38:55PM -0600
WWW-Home-Page: http://www.lemis.com/~grog
Organization: LEMIS, PO Box 460, Echunga SA 5153, Australia
Phone: +61-8-8388-8286
Fax: +61-8-8388-8725
Mobile: +61-41-739-7062
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Friday, 26 February 1999 at 22:38:55 -0600, Jason Andrew Godfrey wrote:
> Hello.
>
> I've just setup a new FreeBSD 3.1 Release box, and I keep on getting
> messages like:
>
> xxx /kernal: arp: xxx.xxx.xxx.xxx moved from blah_mac_address to
> another_mac_address on vx0.
>
> I'd like for these messages to disappear. 

Then catch the person who's using the IP address.

> I figure I can do it with /etc/syslog.conf, but I'm not sure
> how. Normally I'd do some trial and error first, but right now a
> cracker has found this box interesting, and I don't want to risk
> missing log messages due to an error.
>
> Could anyone help me come with the magical formula to get this
> message to disapper?

Remove its cause, not the effect.  It's a serious message.  In any
case, the message comes from here, in /sys/netinet/if_arp.c:

		if (sdl->sdl_alen &&
		    bcmp((caddr_t)ea->arp_sha, LLADDR(sdl), sdl->sdl_alen))
			if (rt->rt_expire)
			    log(LOG_INFO, "arp: %s moved from %6D to %6D on %s%d\n",
				inet_ntoa(isaddr), (u_char *)LLADDR(sdl), ":",
				ea->arp_sha, ":",
				ac->ac_if.if_name, ac->ac_if.if_unit);
			else {
			    log(LOG_ERR,
				"arp: %6D attempts to modify permanent entry for %s on %s%d",
				ea->arp_sha, ":", inet_ntoa(isaddr),
				ac->ac_if.if_name, ac->ac_if.if_unit);
			    goto reply;
			}

The message is written to the kernel log at the priority LOG_INFO.  If
you want, you can stop LOG_INFO messages with syslog.conf, but you'll
lose *all* info messages.  If you really want to do this, I'd suggest
you change the code above instead: omit the log call.

Greg
--
See complete headers for address, home page and phone numbers
finger grog@lemis.com for PGP public key


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message