From owner-freebsd-pf@FreeBSD.ORG Tue Apr 24 15:36:06 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 21D5316A403 for ; Tue, 24 Apr 2007 15:36:06 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id ABE1713C44C for ; Tue, 24 Apr 2007 15:36:03 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7c22.q.ppp-pool.de [89.53.124.34]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 1A028128829 for ; Tue, 24 Apr 2007 17:35:56 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 784AC3F4E8; Tue, 24 Apr 2007 17:35:18 +0200 (CEST) Message-ID: <462E23BC.8020401@vwsoft.com> Date: Tue, 24 Apr 2007 17:35:24 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070420) MIME-Version: 1.0 To: schneecrash+pf@gmail.com References: <70f41ba20704231511u2b7a1497y9063ec0d8eca6cbf@mail.gmail.com> In-Reply-To: <70f41ba20704231511u2b7a1497y9063ec0d8eca6cbf@mail.gmail.com> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: logging pf in ASCII via syslog -- logs not saved X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Apr 2007 15:36:06 -0000 On 12/23/-58 20:59, snowcrash wrote: >
i'm using FreeBSD v6.2-RELEASE + pf + pflog. > > firewall works great, and i can watch real-time output on > logging_device:pflog0 with, > > tcpdump -tttt -nei pflog0 > > > i'd like to archive & rotate the logs as well, so, following > instructions at, > > "Packet Logging Through Syslog" > http://www.openbsd.org/faq/pf/logging.html > > i've -- supposedly -- setup for pf to log in ASCII to /var/log/pflog.txt > etc etc > > when i start pf, I see in the logs dir, > > ls -al *pf* > -rw------- 1 root wheel 24 Apr 23 13:30 pflog > -rw------- 1 root wheel 0 Apr 23 13:20 pflog.txt > > which, as time passes, show 'pflog' growing as expected, > > ls -al *pf* > -rw------- 1 root wheel 1056 Apr 23 13:45 pflog > -rw------- 1 root wheel 0 Apr 23 13:20 pflog.txt > > if i exec the /etc/pflogrotate script either manually @ shell, or via > cron, i see, > > reading from file /var/log/pflog5min.200704231347, link-type PFLOG > (OpenBSD pflog file) > > but immediately afterwards, checking in the log dir, i see only, > > ls -alt /var/log/*pf* > -rw------- 1 root wheel 24 Apr 23 13:48 pflog > -rw------- 1 root wheel 0 Apr 23 13:47 pflog.txt > > with no trace of the rolled log :-/ > > if i allow the top of the hour to pass, the newsyslog cron job fires, > after which i see, > > ls -alt /var/log/*pf* > -rw------- 1 root wheel 24 Apr 23 14:00 /var/log/pflog > -rw------- 1 root wheel 62 Apr 23 14:00 /var/log/pflog.txt > -rw------- 1 root wheel 62 Apr 23 14:00 /var/log/pflog.txt.0 > > where, > > cat /var/log/pflog.txt.0 > Apr 23 14:00:00 router newsyslog[36971]: logfile turned over > > bottom line -- i'm not getting my ascii-based pf-logs anywhere. > > any suggestions as to what i'm missing would be appreciated :-/ > > thanks! > >
I suspect there's a mistake in your script. Have you tried using `tcpdump | logger' manually? Have you tried using `set -x' in your shell script and checked if you see any errors? Have you removed the last `rm $FILE' and checked if $FILE is created well? Have you checked if logger does it's job when started manually (`echo "this is a test" | logger -t pf -p local0.info')? Check this out first. I suspect this to be a script issue. HTH, Volker