From owner-freebsd-questions Fri Jan 2 09:32:51 1998 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id JAA17522 for questions-outgoing; Fri, 2 Jan 1998 09:32:51 -0800 (PST) (envelope-from owner-freebsd-questions) Received: from base486.home.org (root@imdave.pr.mcs.net [205.164.3.77]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id JAA17503 for ; Fri, 2 Jan 1998 09:32:42 -0800 (PST) (envelope-from imdave@mcs.net) Received: (from imdave@localhost) by base486.home.org (8.8.8/8.8.8) id LAA04387; Fri, 2 Jan 1998 11:26:55 -0600 (CST) Date: Fri, 2 Jan 1998 11:26:55 -0600 (CST) From: Dave Bodenstab Message-Id: <199801021726.LAA04387@base486.home.org> To: dakott@alpha.delta.edu, freebsd-questions@FreeBSD.ORG Subject: Re: logging ipfirewall LOG directives through syslogd Sender: owner-freebsd-questions@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Your question tickled my curiosity... > From: David Kott > I use the kernel IP firewall and use the "log" directive to alert me > to possibly nefarious network traffic. However, I would like to channel > these messages through the syslog facility. I added some code to the > kernel ip firewall to (apparently) log messages via the syslog() > interface. This is an example of what I added to: It sounds to me like you already know most of this... but one thing you you should do is dig a little deeper and follow your inferences one more step. It's been a long time since I hacked the kernel, but a good rule of thumb is to copy that which is already done. In this case, you need to find out how the kernel logs other messages to syslog. The first log message that came to my mind was the ``pid ? uid ? exited on signal ?'' message. A quick fgrep in /sys/kern/*.c for ``core'' got me: kern_sig.c:coredump(p) which showed me: log(LOG_INFO, "pid %d: %s: uid %d: exited on signal %d\n", p->p_pid, p->p_comm, p->p_ucred->cr_uid, signum); Following the calls to log: log() [subr_prf.c] -> logpri() [subr_prf.c] log() -> kprintf(..TOLOG..) [subr_prf.c] log() -> logwakeup() [subr_log.c] Hmmm... there does not seem to be anything setting the ``program name'' for the kernel syslog messages. Next, looking in /usr/src/usr.sbin/syslogd/syslogd.c, in function printsys() there is: (void)strcpy(line, getbootfile()); (void)strcat(line, ": "); So, it looks to me that the ``program name'' for kernel messages comes from syslogd which gets it from getbootfile(). I now must mention that this is where I stopped. I can't be sure without actually doing some coding and testing, but it sure looks like: 1. The syslog is effectively already "open" for the kernel and there is no need for an openlog() call. Another grep thru *all* kernel source confirmed that there is no ``openlog'' function -- of course the kernel link already said this ;-) 2. The call to log() writes a syslog message -- there is no syslog() function. Again, the kernel link confirms this. 3. Since syslogd is setting the ``program name'' for kernel messages, there is no way for the kernel to log anything under another name (such as "ipfw") Hope this gets you a little further. Keep the list informed of your progress. Good luck. Dave Bodenstab imdave@mcs.net