From owner-freebsd-pf@FreeBSD.ORG Mon Apr 23 22:11:14 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9BF2D16A403 for ; Mon, 23 Apr 2007 22:11:14 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.184]) by mx1.freebsd.org (Postfix) with ESMTP id 2DCDD13C4AE for ; Mon, 23 Apr 2007 22:11:13 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: by mu-out-0910.google.com with SMTP id g7so2182979muf for ; Mon, 23 Apr 2007 15:11:12 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:reply-to:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=KptskJDvDcbbsgxxW5yeitWqBjMyu6qwHkJ162h86I85QMKnGx9OJUGQ1KF7L14GI/TaPeh0w/Eajwh4m8pX+rDJ/Uzh6F/9w0f7RxRNZ1pp7niClBGkGg2SoAgIbC6kUzDNxXFb0H7+SFi/F2pO4axkAAkCr7YTs6lOOsKGW34= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:reply-to:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=a5PVoc5Crd02pfjZi3VmxQqjbnjHf5UJcMCgrv/FFOTnWWgqOsVBVe4bNof6VOfxTbqp7deorsk6NvgZ9Ykaewvir5BDjFvb2Hkcc+aIjAlERhBUhB9gEbTje4URDcJx4yH0hD1bqmWaNhUgF7xOjV/xXlV/e021+BvcLQz7LgM= Received: by 10.82.100.1 with SMTP id x1mr3014617bub.1177366272459; Mon, 23 Apr 2007 15:11:12 -0700 (PDT) Received: by 10.82.162.19 with HTTP; Mon, 23 Apr 2007 15:11:12 -0700 (PDT) Message-ID: <70f41ba20704231511u2b7a1497y9063ec0d8eca6cbf@mail.gmail.com> Date: Mon, 23 Apr 2007 15:11:12 -0700 From: snowcrash Sender: schneecrash@gmail.com To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Google-Sender-Auth: 0235b838b9c3fbd8 Subject: logging pf in ASCII via syslog -- logs not saved X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-pf@freebsd.org List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Apr 2007 22:11:14 -0000 i'm using FreeBSD v6.2-RELEASE + pf + pflog. firewall works great, and i can watch real-time output on logging_device:pflog0 with, tcpdump -tttt -nei pflog0 i'd like to archive & rotate the logs as well, so, following instructions at, "Packet Logging Through Syslog" http://www.openbsd.org/faq/pf/logging.html i've -- supposedly -- setup for pf to log in ASCII to /var/log/pflog.txt etc etc when i start pf, I see in the logs dir, ls -al *pf* -rw------- 1 root wheel 24 Apr 23 13:30 pflog -rw------- 1 root wheel 0 Apr 23 13:20 pflog.txt which, as time passes, show 'pflog' growing as expected, ls -al *pf* -rw------- 1 root wheel 1056 Apr 23 13:45 pflog -rw------- 1 root wheel 0 Apr 23 13:20 pflog.txt if i exec the /etc/pflogrotate script either manually @ shell, or via cron, i see, reading from file /var/log/pflog5min.200704231347, link-type PFLOG (OpenBSD pflog file) but immediately afterwards, checking in the log dir, i see only, ls -alt /var/log/*pf* -rw------- 1 root wheel 24 Apr 23 13:48 pflog -rw------- 1 root wheel 0 Apr 23 13:47 pflog.txt with no trace of the rolled log :-/ if i allow the top of the hour to pass, the newsyslog cron job fires, after which i see, ls -alt /var/log/*pf* -rw------- 1 root wheel 24 Apr 23 14:00 /var/log/pflog -rw------- 1 root wheel 62 Apr 23 14:00 /var/log/pflog.txt -rw------- 1 root wheel 62 Apr 23 14:00 /var/log/pflog.txt.0 where, cat /var/log/pflog.txt.0 Apr 23 14:00:00 router newsyslog[36971]: logfile turned over bottom line -- i'm not getting my ascii-based pf-logs anywhere. any suggestions as to what i'm missing would be appreciated :-/ thanks!