Date: Fri, 2 Jan 1998 11:26:55 -0600 (CST) From: Dave Bodenstab <imdave@mcs.net> To: dakott@alpha.delta.edu, freebsd-questions@FreeBSD.ORG Subject: Re: logging ipfirewall LOG directives through syslogd Message-ID: <199801021726.LAA04387@base486.home.org>
next in thread | raw e-mail | index | archive | help
Your question tickled my curiosity...
> From: David Kott <dakott@alpha.delta.edu>
> I use the kernel IP firewall and use the "log" directive to alert me
> to possibly nefarious network traffic. However, I would like to channel
> these messages through the syslog facility. I added some code to the
> kernel ip firewall to (apparently) log messages via the syslog()
> interface. This is an example of what I added to:
It sounds to me like you already know most of this... but one thing
you you should do is dig a little deeper and follow your inferences
one more step.
It's been a long time since I hacked the kernel, but a good rule
of thumb is to copy that which is already done. In this case, you
need to find out how the kernel logs other messages to syslog.
The first log message that came to my mind was the ``pid ? uid ?
exited on signal ?'' message. A quick fgrep in /sys/kern/*.c for
``core'' got me:
kern_sig.c:coredump(p)
which showed me:
log(LOG_INFO, "pid %d: %s: uid %d: exited on signal %d\n",
p->p_pid, p->p_comm, p->p_ucred->cr_uid, signum);
Following the calls to log:
log() [subr_prf.c] -> logpri() [subr_prf.c]
log() -> kprintf(..TOLOG..) [subr_prf.c]
log() -> logwakeup() [subr_log.c]
Hmmm... there does not seem to be anything setting the ``program name''
for the kernel syslog messages.
Next, looking in /usr/src/usr.sbin/syslogd/syslogd.c, in function printsys()
there is:
(void)strcpy(line, getbootfile());
(void)strcat(line, ": ");
So, it looks to me that the ``program name'' for kernel messages
comes from syslogd which gets it from getbootfile().
I now must mention that this is where I stopped. I can't be sure without
actually doing some coding and testing, but it sure looks like:
1. The syslog is effectively already "open" for the kernel
and there is no need for an openlog() call. Another
grep thru *all* kernel source confirmed that there is no
``openlog'' function -- of course the kernel link already
said this ;-)
2. The call to log() writes a syslog message -- there is no
syslog() function. Again, the kernel link confirms this.
3. Since syslogd is setting the ``program name'' for kernel
messages, there is no way for the kernel to log anything
under another name (such as "ipfw")
Hope this gets you a little further. Keep the list informed of your
progress. Good luck.
Dave Bodenstab
imdave@mcs.net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199801021726.LAA04387>