From owner-freebsd-questions Tue Jan 14 12:47: 1 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6846537B401 for ; Tue, 14 Jan 2003 12:46:58 -0800 (PST) Received: from mail.bg (dialup101.varna.spnet.net [213.169.38.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D4AC43F5B for ; Tue, 14 Jan 2003 12:46:55 -0800 (PST) (envelope-from dpenev@mail.bg) Received: from mail.bg (localhost.dpsca.bg [127.0.0.1]) by mail.bg (8.12.6/8.12.6) with ESMTP id h0EKkCQB002099; Tue, 14 Jan 2003 22:46:12 +0200 (EET) (envelope-from dpenev@mail.bg) Received: (from dpenev@localhost) by mail.bg (8.12.6/8.12.6/Submit) id h0EKk7uk002098; Tue, 14 Jan 2003 22:46:07 +0200 (EET) Date: Tue, 14 Jan 2003 22:46:06 +0200 From: Dancho Penev To: JoeB Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfilter/ipmon log msgs Message-ID: <20030114204606.GA493@earth.dpsca.bg> Mail-Followup-To: JoeB , freebsd-questions@FreeBSD.ORG References: <8665ssybqs.fsf@marvin.penguinpowered.org.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Jan 13, 2003 at 05:23:52PM -0500, JoeB wrote: >From: "JoeB" >To: "Wayne Pascoe" >Cc: "FBSDQ" >Subject: RE: ipfilter/ipmon log msgs >Date: Mon, 13 Jan 2003 17:23:52 -0500 > >Did ipf -V and the which command on both ipf & ipmon and they are >both in same directory. >The only thing that look questionable is ipf -V says log flags: 0 >= none set. This mean that you haven't enable default logging of packets. (man 8 ipf & search for -l option) And now to you original question: The author of ipmon man page when say that day, month and year are removed from messages he means that they are removed from messages that are taken from /dev/ipl, not that they aren't logged in log files. What you see in yours log files from beginning of line to colon character is appended from syslog and it's day, month and time of sending messages to system logger. We have two distinct events: 1. The date and time when packets are blocked or passed, the time when they are logged to /dev/ipl (what is actually removed, without time it's always logged) 2. The date and time when ipmon logs messages, the time when ipmon reads /dev/ipl and logs via syslog or write to console) Between this two events we have some time interval, so you must not mix up them. >Does this mean ipfilter_flags="" or ipmon_flags="-Ds" > >What is this talking about?? > >In rc.conf I have > >ipfilter_enable="YES" >ipfilter_flags="" >ipnat_enable="YES" >ipmon_enable="YES" >ipmon_flags="-Ds" > >Is there a ipfilter web site that I can check man info page on >ipmon to see if it has newer information that what FBSD has in it's >man ipmon which would mean that the new man info was not updated >into the new FBSD release of ipfilter which happened in FBSD 4.7 > > >-----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Wayne >Pascoe >Sent: Monday, January 13, 2003 4:35 PM >To: barbish@a1poweruser.com >Cc: FBSDQ >Subject: Re: ipfilter/ipmon log msgs > >"JoeB" writes: > >> Man ipmon says than when option -s is selected to send ipfilter >> log messages to syslogd the day, month, year prefix is removed >from >> the message before posting to syslogd. This does not happen. > >Firstly, ensure you're starting ipmon with the -Ds flags. This will >put it in daemon mode and log through syslogd. > >I've had a problem with logfile formats in the past and this was >because I was not running the correct version of ipmon. > >do >sudo ipf -V > >Check the version. Then do which ipf > >Then check to see that the ipmon is running is in the same >directory. > >Otherwise, post a sample log line... > >Regards, > >-- >- Wayne Pascoe > You know, it's simply not true that wars never > settle anything - James Burnham > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message -- Regards, Dancho Penev To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message