Date: Fri, 15 Dec 2000 18:41:51 +0100 From: Gerhard Sittig <Gerhard.Sittig@gmx.net> To: freebsd-security@FreeBSD.ORG Subject: Re: Extended ipfw Logging Message-ID: <20001215184150.K253@speedy.gsinet> In-Reply-To: <200012150443.PAA19298@caligula.anu.edu.au>; from avalon@coombs.anu.edu.au on Fri, Dec 15, 2000 at 03:43:48PM %2B1100 References: <20001214205854.J253@speedy.gsinet> <200012150443.PAA19298@caligula.anu.edu.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Dec 15, 2000 at 15:43 +1100, Darren Reed wrote: > In some mail from Gerhard Sittig, sie said: > > > > Why not have the "verbosity" written in the matching rule? > > One surely doesn't want to bloat *all* logged entries (not > > even log all denials, and maybe log some accepted packets > > too). > > Getting back to what you are discussing here, the problem I > have with variable verbosity is the text then becomes irregular > for the purpose of parsing and analysis. The most probable (from my POV) application for different verbosity depending on the matching rule would be to, say, log some UDP packets with "log body" while just doing "log" or "log first" for the fact that some TCP packet was dropped -- since the first TCP packet (SYN) doesn't contain level 5+ payload and reading the body in hex is not any more informative than reading its textual representation of the header immediately above. Speaking of "irregular log text layout" we already have this. :) The "Nx" for repeated matches between the timestamp and the interface name does already shift the rest of the line. Maybe those log lines without the count number should have a place holder, too? But then one could start printing IPs with "maximum width" etc to have everything aligned for the (human) reader. I see, thinking about this is getting endless ... And maybe I'm just missing how the verbosity level differs from the "simple" (since two stage only) header / header + body logging. Maybe having ipfw log a line like it does now and maybe printing a "continuation line" with additional data when asked to do so in the matching rule would be a way to go. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001215184150.K253>