ipmon logging

bob at a1poweruser.com bob at a1poweruser.com
Sat Apr 2 16:07:45 PST 2005

After testing with 5.3 on my workbench box it seems that ipfilter
has changed between 4.11 and 5.3. The syslog.conf logging statement
of    local0.*       /var/log/security   is only valid for the
ipfilter in the 4.x versions of Freebsd.
security.*       /var/log/security     is only valid for the
ipfilter in the 5.3 version and greater of Freebsd.

The official handbook is written for 4.11 release.  It needs to be
updated for the 5.3  5.4 releases

-----Original Message-----
From: as2sb3100 at comcast.net [mailto:as2sb3100 at comcast.net]
Sent: Friday, April 01, 2005 3:12 PM
To: bob at a1poweruser.com
Subject: RE: ipmon logging

from the FAQ:
1. # I have IPMon logging to syslog, but syslog doesn't log
anything, why not?

    IPF logs as local0 so you'll want something to the effect of:
    local0.debug /var/log/ipf.log
    in your syslog.conf. NOTE: There has to be atleast one TAB in
that line, not just spaces.

It doesnt do this though, I think, I could mistaken.  In my rc.conf
file I have ipmon_flags="Ds" and the line in syslog.conf from above
(I've also tried local0.*  /var/log/ipf.log in syslog.conf) which
should do what it says above.  All this is documented in the
Handbook.  However, ipmon uses the security facility instead of
local0.  This means that whenever something is logged by ipmon, it
gets loged to /var/log/security.  If I change ipmon_flags="Ds" to
ipmon_flags="D /var/log/ipf.log" it works perectly.  However, when
newsyslog rotates the file when it gets to 100k, ipmon stops
logging.  When I run nmap I normaly get a bunch of stuff logged.
When newsyslog rotates the file it adds logfile turned over due
to..., and then nothing gets logged after that.  So I know that it
stops logging after newsyslog rotates the log.  I've been reading
through the newsyslog.conf man page, but I'm not sure what I'm
looking for.

> There is a new write up of IPF in the official manual that
> in detail how to get ipmon to log to separate file.
> You have to give more technical details about what you have done.
> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of
> as2sb3100 at comcast.net
> Sent: Friday, April 01, 2005 1:50 PM
> To: freebsd-questions at freebsd.org
> Subject: ipmon logging
> According to every website I've read so far ipmon uses local0 as
> facility name.  However, on my FreeBSD 5.3-RELEASE-p5 box, it logs
> to the security facility.  The man page (in both 5.2.1 and 5.3)
> ipmon, with -s for logging to syslog says, "The default facility
> when compiled and installed is security".  Can anyone explain
> I'd like ipmon to log to a separate file so it doesn't fill up the
> security log.  I've tried having ipmon log directly to a file, and
> not using syslog, but it stops logging when newsyslog rotates the
> file.  Does anyone have any suggestions on what I could or should
> do?
> Eric
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list