logging pf in ASCII via syslog -- logs not saved

Volker volker at vwsoft.com
Tue Apr 24 15:36:06 UTC 2007 

On 12/23/-58 20:59, snowcrash wrote:
> <div class="moz-text-flowed">i'm using FreeBSD v6.2-RELEASE + pf + pflog.
> 
> firewall works great, and i can watch real-time output on
> logging_device:pflog0 with,
> 
>     tcpdump -tttt -nei pflog0
> 
> 
> i'd like to archive & rotate the logs as well, so, following
> instructions at,
> 
>     "Packet Logging Through Syslog"
>     http://www.openbsd.org/faq/pf/logging.html
> 
> i've -- supposedly -- setup for pf to log in ASCII to /var/log/pflog.txt
> etc etc
> 
> when i start pf, I see in the logs dir,
> 
>  ls -al *pf*
>    -rw-------  1 root  wheel  24 Apr 23 13:30 pflog
>    -rw-------  1 root  wheel   0 Apr 23 13:20 pflog.txt
> 
> which, as time passes, show 'pflog' growing as expected,
> 
>  ls -al *pf*
>    -rw-------  1 root  wheel 1056 Apr 23 13:45 pflog
>    -rw-------  1 root  wheel    0 Apr 23 13:20 pflog.txt
> 
> if i exec the /etc/pflogrotate script either manually @ shell, or via
> cron, i see,
> 
>     reading from file /var/log/pflog5min.200704231347, link-type PFLOG
> (OpenBSD pflog file)
> 
> but immediately afterwards, checking in the log dir, i see only,
> 
>  ls -alt /var/log/*pf*
>    -rw-------  1 root  wheel  24 Apr 23 13:48 pflog
>    -rw-------  1 root  wheel   0 Apr 23 13:47 pflog.txt
> 
> with no trace of the rolled log :-/
> 
> if i allow the top of the hour to pass, the newsyslog cron job fires,
> after which i see,
> 
>  ls -alt /var/log/*pf*
>    -rw-------  1 root  wheel  24 Apr 23 14:00 /var/log/pflog
>    -rw-------  1 root  wheel  62 Apr 23 14:00 /var/log/pflog.txt
>    -rw-------  1 root  wheel  62 Apr 23 14:00 /var/log/pflog.txt.0
> 
> where,
> 
>  cat /var/log/pflog.txt.0
>    Apr 23 14:00:00 router newsyslog[36971]: logfile turned over
> 
> bottom line -- i'm not getting my ascii-based pf-logs anywhere.
> 
> any suggestions as to what i'm missing would be appreciated :-/
> 
> thanks!
> 
> </div>

I suspect there's a mistake in your script. Have you tried using
`tcpdump | logger' manually?

Have you tried using `set -x' in your shell script and checked if you
see any errors? Have you removed the last `rm $FILE' and checked if
$FILE is created well? Have you checked if logger does it's job when
started manually (`echo "this is a test" | logger -t pf -p local0.info')?

Check this out first. I suspect this to be a script issue.

HTH,

Volker

More information about the freebsd-pf mailing list