Re: Question about redirecting to a multiple log files from pflogd

Thu, 16 Aug 2012 06:55:39 -0700 

On Thu, Aug 16, 2012 at 11:41 AM, MERIGHI Marcus <mcmer-open...@tor.at> wrote:
> carlopm...@gmail.com (C. L. Martinez), 2012.08.15 (Wed) 20:20 (CEST):
>> On Tue, Aug 14, 2012 at 10:00 AM, C. L. Martinez <carlopm...@gmail.com> 
>> wrote:
>> > Hi all,
>> >
>> >  I have some rules that I would like to redirect in syslog format to a
>> > log file. I don't need to touch /var/log/pflog. To accomplish this I
>> > have tried to start pflogd daemon with the following options:
>> >
>> >  "-s 256 -i pflog0 -f /var/log/pflog -i pflog1 -f /tmp/test.log"
>> >
>> >  ... but it doesn't works. After, I have tried to start another pflogd
>> > instance with "-s 256 -i pflog1 -f /tmp/test.log":
>> >
>> > 25317 ??  S       0:49.58 pflogd: [running] -s 256 -i pflog1 -f
>> > /tmp/test.log (pflogd)
>> > 13851 ??  Ss      0:00.23 ntpd: ntp engine (ntpd)
>> > 16445 ??  Is      0:00.03 ntpd: dns engine (ntpd)
>> > 11227 ??  Ss      0:00.02 ntpd: [priv] (ntpd)
>> > 21752 ??  Is      0:00.05 /usr/sbin/sshd
>> > 14014 ??  Ss      0:00.30 sendmail: accepting connections (sendmail)
>> > 14724 ??  Is      0:00.01 /usr/sbin/ftp-proxy
>> > 14277 ??  Ss      0:00.04 /usr/sbin/cron
>> > 11070 ??  Ss      0:35.46 sshd: root@ttyp0 (sshd)
>> > 18112 ??  Is      0:00.01 pflogd: [priv] (pflogd)
>> > 14997 ??  S       0:01.08 pflogd: [running] -s 256 -i pflog0 -f
>> > /var/log/pflog (pflogd)
>> >
>> >  .. but it doesn't works. /var/log/pflog doesn't register activitvy
>> > (pflog0 and pflog1 interfaces are up)
>> >
>> >  At this stage, I only to need to try if this approach works using
>> > tcpdump file format in both log files ...
>> >
>> >  Is it possible to use several pflogX interfaces an redirect all logs
>> > to several log files?? I am using OpenBSD 5.1
>> >
>> > Thanks.
>>
>> Please, any tip??
>
> I'm not completely sure I understand what you want: is your log file
> supposed to contain tcpdump(8) binary format or the format resulting
> from tcpdump -r <file> or tcpdump -i pflogX?
>
> anyway, I use the following to get tcpdump -i pflogX to syslog:
>
> #!/bin/sh -e
> ifconfig pflog0 > /dev/null 2>&1 || sudo ifconfig pflog0 create up
> logger -p local1.notice -t pflog |&
> logger_pid=${!}
> exec 5<&p 6>&p
> exec 1>&6
> exec /usr/sbin/tcpdump -qtvneli pflog0 2>&1 &
>
> bye, Marcus
>

Thanks Marcus, that is my second phase. At this moment, I need to use
different pflog's file names (and different pflogX interfaces) for
some rules, here is on I have problems ....

Reply via email to