logging pflog to a remote host.

logging pflog to a remote host.

Post by Sam Wu » Tue, 09 Apr 2002 20:21:11



Dear all,

Does anyone know how to remote logging pflog msg? I think tcpdump may be
helpful, but I don't know how to use it. Any other suggestion will be very
appreciated.

Thanks
Sam

 
 
 

logging pflog to a remote host.

Post by Arvid Gr?ttin » Tue, 09 Apr 2002 20:27:41



> Dear all,

> Does anyone know how to remote logging pflog msg? I think tcpdump may be
> helpful, but I don't know how to use it. Any other suggestion will be very
> appreciated.

- chmod g+r /dev/bpf*

- set up syslog/newsyslog to route things where you want them, and

- as a user with read access to /dev/bpf*, do something like

    nice tcpdump -i pflog0 -e -n | logger

Warning: Use at your own risk, after a risk/benefit analysis.

--

Arvid

 
 
 

logging pflog to a remote host.

Post by Sam Wu » Wed, 10 Apr 2002 00:13:40


Hi Arvid,

thanks for your info. I have just tried it, but I don't think I need to
chmod bpf. and as I started the command
   nice tcpdump -i pflog0 -e -n | logger
I can see the logging msg comes up on the screen as well as inserted in the
/var/log/messages.
How can I stop the msg print on the screen?

thanks
Sam



> > Dear all,

> > Does anyone know how to remote logging pflog msg? I think tcpdump may be
> > helpful, but I don't know how to use it. Any other suggestion will be
very
> > appreciated.

> - chmod g+r /dev/bpf*

> - set up syslog/newsyslog to route things where you want them, and

> - as a user with read access to /dev/bpf*, do something like

>     nice tcpdump -i pflog0 -e -n | logger

> Warning: Use at your own risk, after a risk/benefit analysis.

> --

> Arvid

 
 
 

logging pflog to a remote host.

Post by Arvid Gr?ttin » Wed, 10 Apr 2002 00:26:12



> Hi Arvid,

> thanks for your info. I have just tried it, but I don't think I need to
> chmod bpf.

Oh, you do, because you don't want to run this as root.

Quote:> and as I started the command
>    nice tcpdump -i pflog0 -e -n | logger
> I can see the logging msg comes up on the screen as well as inserted in the
> /var/log/messages.
> How can I stop the msg print on the screen?

Configure syslog or newsyslog, whichever is in use on your system.

--

Arvid

 
 
 

logging pflog to a remote host.

Post by Sam Wu » Wed, 10 Apr 2002 16:28:46


I am using msyslogd, the command I am using is:
A machine: # syslogd -o om_tcp -a -h dev2.rock.com -p 3210 -m 30 -s 8192
A machine: # nice tcpdump -i pflog0 -e -n | logger -t "A machine pflog0"

Log Server:
LogServer: # syslogd -i 'tcp -p 3210'

from the LogServer, tcpdump -i <Interface> will show all the packet from A
machine is forwarding to the LogServer. But I only want to log the pflog msg
to LogServer. I can't see there is any msg tagged as "A machine pflog0" to
be sent from the A machine.

Thanks
Sam




> > Hi Arvid,

> > thanks for your info. I have just tried it, but I don't think I need to
> > chmod bpf.

> Oh, you do, because you don't want to run this as root.

> > and as I started the command
> >    nice tcpdump -i pflog0 -e -n | logger
> > I can see the logging msg comes up on the screen as well as inserted in
the
> > /var/log/messages.
> > How can I stop the msg print on the screen?

> Configure syslog or newsyslog, whichever is in use on your system.

> --

> Arvid

 
 
 

logging pflog to a remote host.

Post by Arvid Gr?ttin » Wed, 10 Apr 2002 18:09:00



> from the LogServer, tcpdump -i <Interface> will show all the packet from A
> machine is forwarding to the LogServer. But I only want to log the pflog msg
> to LogServer. I can't see there is any msg tagged as "A machine pflog0" to
> be sent from the A machine.

Read the fine manual(s).[1]  I don't do this myself; I was only
suggesting a possible solution.

Oh, and make absolutely sure that you never, ever create a logging PF
rule that catches your syslog packets.

[1] logger(1), newsyslog(8), syslogd(8), syslog.conf(8).
--

Arvid

 
 
 

1. Option for logging pf log to a remote host?

Dear all,

I have asked the similiar question before, but I am also wondering how to
log the pf logged messages to a remote host directly rather than to a local
log file in the first place? The solution was:

1. Use other programs like tcpdump with netcat to direct pflog0 to a remote
host.
but I don't see this is stable at all (it crashed very often somehow).

2. Then tcpdump with logger will direct the pflog0 to the /var/log/messages.
this combination is more stable to log pf msg to the /var/log/messages
file,but lack of simplicity.

I am thinking how to change pf setting so that it can be logged to the local
as well as to a remote host as an optional functionality?
Is this require coding change in pf?

Thanks
Sam

2. X is not linking

3. OBSD 3.2 pflog>pflog.txt not working

4. Mail Server on Local Network - Sanity Check

5. /var/log/pflog and tcpdump

6. TI TravelMate 4000M?

7. /var/log/pflog file not in ascii mode.

8. idraw does not work

9. Ethereal and logs of pflog

10. Reading binary files from /var/log/pflog.*

11. Tcpd logging of user@host from remote login/telnet/ftps

12. Determining the remote host a user logged in from

13. Syslog to remote host - how to set logging facility?