SOLVED: Re: IPMON log to syslog doesn't work

Tue Feb 26 17:26:35 UTC 2008

On Tuesday 26 February 2008 17:31:27 Anton Shterenlikht wrote:
> On Tue, Feb 26, 2008 at 03:01:13PM +0000, Anton Shterenlikht wrote:
> > On Tue, Feb 26, 2008 at 03:42:51PM +0100, Mel wrote:
> > > On Tuesday 26 February 2008 15:25:37 Anton Shterenlikht wrote:
> > > > On Tue, Feb 26, 2008 at 03:09:14PM +0100, Mel wrote:
> > > > > On Tuesday 26 February 2008 14:20:32 Anton Shterenlikht wrote:
> > > > > > I'm trying to troubleshoot my ipfilter firewall, and I cannot get
> > > > > > any log data, i.e. /var/log/ipfilter.log is empty.
> > > > >
> > > > > Does:
> > > > > # logger -p security.notice test
> > > > > put anything in the log?
> > > >
> > > > yes:
> > > >
> > > > # logger -p security.notice test
> > > > # cat /var/log/ipfilter.log
> > > > Feb 26 00:00:00 mech-cluster238 newsyslog[21510]: logfile turned over
> > > > Feb 26 14:17:07 mech-cluster238 mexas: test
> > > > # cat /var/log/security
> > > > Jul 20 10:52:47  newsyslog[463]: logfile first created
> > > > Feb 26 14:17:07 mech-cluster238 mexas: test
> > > > #
> > > >
> > > > so what does this mean?
> > >
> > > That syslog works correctly and it's really ipmon. Are you sure it's
> > > running? How about ipmon -s (without the -D), does that turn up in
> > > syslog?
> >
> > # ipmon -s&
> > [1] 23892
> > # ps ax | grep ipmon
> > 23892  p0  S      0:00.11 ipmon -s
> > 23908  p0  R+     0:00.00 grep ipmon
> > #
> >
> > but the logs are still empty:
> >
> > # cat /var/log/ipfilter.log
> > Feb 26 00:00:00 mech-cluster238 newsyslog[21510]: logfile turned over
> > Feb 26 14:17:07 mech-cluster238 mexas: test
> > # cat /var/log/security
> > Jul 20 10:52:47  newsyslog[463]: logfile first created
> > Feb 26 14:17:07 mech-cluster238 mexas: test
> > #
> >
> > however:
> >
> > # ipmon -D
> > 26/02/2008 14:49:59.202056 3x dc0 @0:1 b 137.222.187.22,1004 ->
> > 255.255.255.255, 1004 PR udp len 20 67 IN broadcast
> > 26/02/2008 14:50:13.064314 2x dc1 @0:1 b 10.10.10.7,520 ->
> > 10.10.10.255,520 PR u dp len 20 72 IN broadcast
> > ^C
> > #
> >
> > Perhaps I should play with other ipmon flags as well?
>
> I solved it following the IPF FAQ:
> 	http://www.phildev.net/ipf/IPFipmon.html#ipmon1
>
> 	Q. I have IPMon logging to syslog, but syslog doesn't
> 	   log anything, why not?
>
> 	A. IPF logs as local0 so you'll want something to the effect of:
> 	   local0.debug /var/log/ipf.log in your syslog.conf.
> 	   NOTE: There has to be atleast one TAB in that line, not just spaces.
>
> so I changed "security.*" to "local0.*" in /etc/syslog.conf:
>
> # grep local0 /etc/syslog.conf
> local0.*        /var/log/ipfilter.log
> #
>
> and now I have (lots) of logs in the log file:
>
> # tail -2 /var/log/ipfilter.log
> Feb 26 16:20:05 mech-cluster238 ipmon[24166]: 16:20:05.248083 2x dc0 @0:20
> b 137 .222.187.85,137 -> 137.222.187.255,137 PR udp len 20 78 IN broadcast
> Feb 26 16:20:07 mech-cluster238 ipmon[24166]: 16:20:06.876597 dc0 @0:21 b
> 137.22 2.187.10,138 -> 137.222.187.255,138 PR udp len 20 212 IN broadcast #
>
> # ls -al /var/log/ipfilter.log
> -rw-r-----  1 root  wheel  74889 26 Feb 16:21 /var/log/ipfilter.log
> #
>
> But now I wonder if the FBSD handbook has an error in section
> 28.5.7 IPMON Logging:
>
> 	"Add the following statement to /etc/syslog.conf:
> 		security.* /var/log/ipfilter.log
>
> 	 The security.* means to write all the logged
> 	 messages to the coded file"
>
> Shall I submit this as a manual error, or is it more complex?

I was just looking at that. The weird thing is the following:
http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/ipfilter/tools/ipmon.c?rev=1.4.2.2
#ifndef	LOGFAC
#define	LOGFAC	LOG_LOCAL0
#endif

In the contrib/ipfilter/Makefile it is set to security, but...freebsd builds 
with src/sbin/ipf/ipmon and there it is indeed LOG_LOCAL0.

So either you could request docfix or Makefile fix. There's probably a reason 
why it's set hardcoded like that to LOG_LOCAL0.

-- 
Mel

Problem with today's modular software: they start with the modules
    and never get to the software part.