Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 13 Dec 2005 21:16:20 -0500
From:      Parv <parv@pair.com>
To:        Rob Lytle <europa100@comcast.net>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: ipfilter question
Message-ID:  <20051214021620.GA31453@holestein.holy.cow>
In-Reply-To: <20051213164227.0cb04489.europa100@comcast.net>
References:  <43c190410512130257l1366b4c3rf56f44f5f451b93@mail.gmail.com> <e572718c0512130438o176522ecoe77637e38605c92e@mail.gmail.com> <43c190410512131624w56ad2c14k8e65d64d2207dcbd@mail.gmail.com> <20051213164227.0cb04489.europa100@comcast.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
in message <20051213164227.0cb04489.europa100@comcast.net>,
wrote Rob Lytle thusly...
>
> 
> 
> > > Here's my setup:
...
> > > in /etc/syslog.conf
> > 
> > yes, there is no other security.* facility, actually i got it
> > working

Please keep the attribution & attribute the respective authors.


> I have the problem that ipmon logs to /var/log/messages and nothing
> goes to /var/log/ipf.log.  Even after using the info in this thread.
> I am using local0 as was suggested for FreeBSD 6.0.  Earlier I was
> using security.* which didn't work either.  I suppose that at the
> least, I need to remove something from the /var/log/messages line.
> 
...
> *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err	/var/log/messages
> local0.*					/var/log/ipf.log

Like "authpriv.none" to stop auth messages going into
"/var/log/messages", you will need to add "local0.none" (or replace
"local0" w/ whatever the actual facility is used) after "*.notice;".

According to ipmon(8) on 5.4, passed & logged packets are logged w/
level of 'notice'. So you should be seeing only the passed packets in
'/var/log/messages'.  Rest of the messages, will go wherever
(local0|security|*).(info|warn|err) messages go.


Or, you could ...

  - give a file name to ipmon(8) to log messages in
  - remove the "-s" option to not to log via syslogd(8)
  - put the <ipmon facility>.none, in "/etc/syslog.cong", to avoid
    other files receiving ipf messages.
  - adjust /etc/newsyslog.conf to properly rotate the ipmon log
    files.


Don't forget to read up on syslog.conf(5), newsyslog.conf(5),
and ipmon(8) in any case.


  - Parv

--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051214021620.GA31453>