From owner-freebsd-questions@FreeBSD.ORG Wed Feb 27 12:55:15 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 99ABF106566C for ; Wed, 27 Feb 2008 12:55:15 +0000 (UTC) (envelope-from mexas@bristol.ac.uk) Received: from dirg.bris.ac.uk (dirg.bris.ac.uk [137.222.10.102]) by mx1.freebsd.org (Postfix) with ESMTP id 71CE98FC22 for ; Wed, 27 Feb 2008 12:55:15 +0000 (UTC) (envelope-from mexas@bristol.ac.uk) Received: from isis.bris.ac.uk ([137.222.10.63]) by dirg.bris.ac.uk with esmtp (Exim 4.67) (envelope-from ) id 1JULoU-0000zt-JL; Wed, 27 Feb 2008 12:55:14 +0000 Received: from mech-aslap33.men.bris.ac.uk ([137.222.184.33]) by isis.bris.ac.uk with esmtp (Exim 4.67) (envelope-from ) id 1JULoU-0001MF-0K; Wed, 27 Feb 2008 12:55:10 +0000 Received: from mech-aslap33.men.bris.ac.uk (localhost [127.0.0.1]) by mech-aslap33.men.bris.ac.uk (8.14.2/8.14.2) with ESMTP id m1RCr14A082879; Wed, 27 Feb 2008 12:53:01 GMT (envelope-from mexas@bristol.ac.uk) Received: (from mexas@localhost) by mech-aslap33.men.bris.ac.uk (8.14.2/8.14.2/Submit) id m1RCr11U082878; Wed, 27 Feb 2008 12:53:01 GMT (envelope-from mexas@bristol.ac.uk) X-Authentication-Warning: mech-aslap33.men.bris.ac.uk: mexas set sender to mexas@bristol.ac.uk using -f Date: Wed, 27 Feb 2008 12:53:01 +0000 From: Anton Shterenlikht To: Mel Message-ID: <20080227125301.GA82852@mech-aslap33.men.bris.ac.uk> Mail-Followup-To: Mel , freebsd-questions@freebsd.org References: <20080226132032.GA86468@mech-aslap33.men.bris.ac.uk> <20080226150113.GA87235@mech-aslap33.men.bris.ac.uk> <20080226163127.GA88231@mech-aslap33.men.bris.ac.uk> <200802261826.23184.fbsd.questions@rachie.is-a-geek.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200802261826.23184.fbsd.questions@rachie.is-a-geek.net> User-Agent: Mutt/1.4.2.3i X-Spam-Score: -1.3 X-Spam-Level: - Cc: freebsd-questions@freebsd.org Subject: Re: SOLVED: Re: IPMON log to syslog doesn't work X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Feb 2008 12:55:15 -0000 On Tue, Feb 26, 2008 at 06:26:22PM +0100, Mel wrote: > On Tuesday 26 February 2008 17:31:27 Anton Shterenlikht wrote: > > On Tue, Feb 26, 2008 at 03:01:13PM +0000, Anton Shterenlikht wrote: > > > On Tue, Feb 26, 2008 at 03:42:51PM +0100, Mel wrote: > > > > On Tuesday 26 February 2008 15:25:37 Anton Shterenlikht wrote: > > > > > On Tue, Feb 26, 2008 at 03:09:14PM +0100, Mel wrote: > > > > > > On Tuesday 26 February 2008 14:20:32 Anton Shterenlikht wrote: > > > > > > > I'm trying to troubleshoot my ipfilter firewall, and I cannot get > > > > > > > any log data, i.e. /var/log/ipfilter.log is empty. > > > > I solved it following the IPF FAQ: > > http://www.phildev.net/ipf/IPFipmon.html#ipmon1 > > > > Q. I have IPMon logging to syslog, but syslog doesn't > > log anything, why not? > > > > A. IPF logs as local0 so you'll want something to the effect of: > > local0.debug /var/log/ipf.log in your syslog.conf. > > NOTE: There has to be atleast one TAB in that line, not just spaces. > > > > so I changed "security.*" to "local0.*" in /etc/syslog.conf: > > > > # grep local0 /etc/syslog.conf > > local0.* /var/log/ipfilter.log > > # > > > > and now I have (lots) of logs in the log file: > > > > # tail -2 /var/log/ipfilter.log > > Feb 26 16:20:05 mech-cluster238 ipmon[24166]: 16:20:05.248083 2x dc0 @0:20 > > b 137 .222.187.85,137 -> 137.222.187.255,137 PR udp len 20 78 IN broadcast > > Feb 26 16:20:07 mech-cluster238 ipmon[24166]: 16:20:06.876597 dc0 @0:21 b > > 137.22 2.187.10,138 -> 137.222.187.255,138 PR udp len 20 212 IN broadcast # > > > > # ls -al /var/log/ipfilter.log > > -rw-r----- 1 root wheel 74889 26 Feb 16:21 /var/log/ipfilter.log > > # > > > > But now I wonder if the FBSD handbook has an error in section > > 28.5.7 IPMON Logging: > > > > "Add the following statement to /etc/syslog.conf: > > security.* /var/log/ipfilter.log > > > > The security.* means to write all the logged > > messages to the coded file" > > > > Shall I submit this as a manual error, or is it more complex? > > I was just looking at that. The weird thing is the following: > http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/ipfilter/tools/ipmon.c?rev=1.4.2.2 > #ifndef LOGFAC > #define LOGFAC LOG_LOCAL0 > #endif > > In the contrib/ipfilter/Makefile it is set to security, but...freebsd builds > with src/sbin/ipf/ipmon and there it is indeed LOG_LOCAL0. > > So either you could request docfix or Makefile fix. There's probably a reason > why it's set hardcoded like that to LOG_LOCAL0. I reported this handbook error to the freebsd-doc list. I also noted that the ipmon man page does say that the default facility is local0, but it can be changed with -L . I tried this but it doesn't seem to work: # ps ax|grep ipmon 27199 ?? Ss 0:00.11 /sbin/ipmon -sDn -L security 27245 p0 R+ 0:00.01 grep ipmon # so it is working, but no new messages appear in the log. With local0 I get several messages a minute. -- Anton Shterenlikht Room 2.6, Queen's Building Mech Eng Dept Bristol University University Walk, Bristol BS8 1TR, UK Tel: +44 (0)117 928 8233 Fax: +44 (0)117 929 4423