Date: Sat, 14 May 2005 20:06:14 -0400 From: Parv <parv@pair.com> To: Per Berger <freebsd@stortsett.se> Cc: FreeBSD questions <freebsd-questions@freebsd.org> Subject: Re: ipfilter and logging... Message-ID: <20050515000614.GA9332@holestein.holy.cow> In-Reply-To: <4285EEDF.4070902@stortsett.se> References: <4285EEDF.4070902@stortsett.se>
next in thread | previous in thread | raw e-mail | index | archive | help
in message <4285EEDF.4070902@stortsett.se>, wrote Per Berger
thusly...
>
> The handbook says that I can add "security.*" in syslog.conf and
> specify a logfile to log the firewall. But there is already an
> entry in syslog.conf "security.*" from install ( I am running
> 5.4-RELEASE upgraded from 5.3 via cvsup (which worked great
> btw...)) pointing at /var/log/security. And all logging goes to
> /var/log/security. But at least some of it goes also to
> /var/log/messages; seems to be the "final" rules that goes there,
> i.e. such as "block in log first quick on fxp0 all".
(reformatted the syslog.conf entries)
> *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages
^ ^ ^ ^
^ ^ ^ ^
> security.* /var/log/security
According to above entries & ipmon(8) man page ...
-s Packet information read in will be sent through syslogd rather
than saved to a file. The default facility when compiled and
installed is security. The following levels are used:
LOG_INFO - packets logged using the "log" keyword as the action
rather than pass or block.
LOG_NOTICE - packets logged which are also passed
LOG_WARNING - packets logged which are also blocked
LOG_ERR - packets which have been logged and which can be
considered "short"
... only "pass" directives will/should be logged to "messages", *in
addition to* also being logged in "security". "block" directives will
only be logged in "security".
> Now for my question. I do really want a separate log file for
> ipfilter. How would a change syslog.conf to separate out the
> ipfilter logs from the rest without breaking any other logging?
Specify a file to ipmon(8) to log messages into via option "-D";
remove traces of ipf(8) activity from /etc/syslog.conf except as noted
below. Update /etc/newsyslog.conf(5) to have the ipf log file rotated
as you desire.
In order to avoid to specify the option & file name manually each time
you start your system, add something like the following to your
/etc/rc.conf ...
ipmon_enable="YES"
ipmon_flags="-D /var/log/ipf.log"
> how do I change the line for /var/log/messages so that no ipfilter
> stuff goes there without breaking something else?
Read syslog.conf(5) man page, especially the part about log levels.
After reading that, in the "/var/log/messages" column, change the
level of facility "security" from "*" to "none".
- Parv
--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050515000614.GA9332>