From owner-freebsd-questions@FreeBSD.ORG Tue Feb 26 17:26:35 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2EC581065670 for ; Tue, 26 Feb 2008 17:26:35 +0000 (UTC) (envelope-from fbsd.questions@rachie.is-a-geek.net) Received: from snoogles.rachie.is-a-geek.net (rachie.is-a-geek.net [66.230.99.27]) by mx1.freebsd.org (Postfix) with ESMTP id D0B0813C44B for ; Tue, 26 Feb 2008 17:26:34 +0000 (UTC) (envelope-from fbsd.questions@rachie.is-a-geek.net) Received: from localhost (localhost [127.0.0.1]) by snoogles.rachie.is-a-geek.net (Postfix) with ESMTP id 8020D1CDCC; Tue, 26 Feb 2008 08:26:24 -0900 (AKST) From: Mel To: freebsd-questions@freebsd.org Date: Tue, 26 Feb 2008 18:26:22 +0100 User-Agent: KMail/1.9.7 References: <20080226132032.GA86468@mech-aslap33.men.bris.ac.uk> <20080226150113.GA87235@mech-aslap33.men.bris.ac.uk> <20080226163127.GA88231@mech-aslap33.men.bris.ac.uk> In-Reply-To: <20080226163127.GA88231@mech-aslap33.men.bris.ac.uk> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200802261826.23184.fbsd.questions@rachie.is-a-geek.net> Cc: Anton Shterenlikht Subject: Re: SOLVED: Re: IPMON log to syslog doesn't work X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Feb 2008 17:26:35 -0000 On Tuesday 26 February 2008 17:31:27 Anton Shterenlikht wrote: > On Tue, Feb 26, 2008 at 03:01:13PM +0000, Anton Shterenlikht wrote: > > On Tue, Feb 26, 2008 at 03:42:51PM +0100, Mel wrote: > > > On Tuesday 26 February 2008 15:25:37 Anton Shterenlikht wrote: > > > > On Tue, Feb 26, 2008 at 03:09:14PM +0100, Mel wrote: > > > > > On Tuesday 26 February 2008 14:20:32 Anton Shterenlikht wrote: > > > > > > I'm trying to troubleshoot my ipfilter firewall, and I cannot get > > > > > > any log data, i.e. /var/log/ipfilter.log is empty. > > > > > > > > > > Does: > > > > > # logger -p security.notice test > > > > > put anything in the log? > > > > > > > > yes: > > > > > > > > # logger -p security.notice test > > > > # cat /var/log/ipfilter.log > > > > Feb 26 00:00:00 mech-cluster238 newsyslog[21510]: logfile turned over > > > > Feb 26 14:17:07 mech-cluster238 mexas: test > > > > # cat /var/log/security > > > > Jul 20 10:52:47 newsyslog[463]: logfile first created > > > > Feb 26 14:17:07 mech-cluster238 mexas: test > > > > # > > > > > > > > so what does this mean? > > > > > > That syslog works correctly and it's really ipmon. Are you sure it's > > > running? How about ipmon -s (without the -D), does that turn up in > > > syslog? > > > > # ipmon -s& > > [1] 23892 > > # ps ax | grep ipmon > > 23892 p0 S 0:00.11 ipmon -s > > 23908 p0 R+ 0:00.00 grep ipmon > > # > > > > but the logs are still empty: > > > > # cat /var/log/ipfilter.log > > Feb 26 00:00:00 mech-cluster238 newsyslog[21510]: logfile turned over > > Feb 26 14:17:07 mech-cluster238 mexas: test > > # cat /var/log/security > > Jul 20 10:52:47 newsyslog[463]: logfile first created > > Feb 26 14:17:07 mech-cluster238 mexas: test > > # > > > > however: > > > > # ipmon -D > > 26/02/2008 14:49:59.202056 3x dc0 @0:1 b 137.222.187.22,1004 -> > > 255.255.255.255, 1004 PR udp len 20 67 IN broadcast > > 26/02/2008 14:50:13.064314 2x dc1 @0:1 b 10.10.10.7,520 -> > > 10.10.10.255,520 PR u dp len 20 72 IN broadcast > > ^C > > # > > > > Perhaps I should play with other ipmon flags as well? > > I solved it following the IPF FAQ: > http://www.phildev.net/ipf/IPFipmon.html#ipmon1 > > Q. I have IPMon logging to syslog, but syslog doesn't > log anything, why not? > > A. IPF logs as local0 so you'll want something to the effect of: > local0.debug /var/log/ipf.log in your syslog.conf. > NOTE: There has to be atleast one TAB in that line, not just spaces. > > so I changed "security.*" to "local0.*" in /etc/syslog.conf: > > # grep local0 /etc/syslog.conf > local0.* /var/log/ipfilter.log > # > > and now I have (lots) of logs in the log file: > > # tail -2 /var/log/ipfilter.log > Feb 26 16:20:05 mech-cluster238 ipmon[24166]: 16:20:05.248083 2x dc0 @0:20 > b 137 .222.187.85,137 -> 137.222.187.255,137 PR udp len 20 78 IN broadcast > Feb 26 16:20:07 mech-cluster238 ipmon[24166]: 16:20:06.876597 dc0 @0:21 b > 137.22 2.187.10,138 -> 137.222.187.255,138 PR udp len 20 212 IN broadcast # > > # ls -al /var/log/ipfilter.log > -rw-r----- 1 root wheel 74889 26 Feb 16:21 /var/log/ipfilter.log > # > > But now I wonder if the FBSD handbook has an error in section > 28.5.7 IPMON Logging: > > "Add the following statement to /etc/syslog.conf: > security.* /var/log/ipfilter.log > > The security.* means to write all the logged > messages to the coded file" > > Shall I submit this as a manual error, or is it more complex? I was just looking at that. The weird thing is the following: http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/ipfilter/tools/ipmon.c?rev=1.4.2.2 #ifndef LOGFAC #define LOGFAC LOG_LOCAL0 #endif In the contrib/ipfilter/Makefile it is set to security, but...freebsd builds with src/sbin/ipf/ipmon and there it is indeed LOG_LOCAL0. So either you could request docfix or Makefile fix. There's probably a reason why it's set hardcoded like that to LOG_LOCAL0. -- Mel Problem with today's modular software: they start with the modules and never get to the software part.