On 2012-08-14, C. L. Martinez <carlopm...@gmail.com> wrote: > Hi all, > > I have some rules that I would like to redirect in syslog format to a > log file. I don't need to touch /var/log/pflog. To accomplish this I > have tried to start pflogd daemon with the following options: > > "-s 256 -i pflog0 -f /var/log/pflog -i pflog1 -f /tmp/test.log"
I don't believe a single pflogd process can run on multiple interfaces, I think you would need to run a second process for pflog1. > ... but it doesn't works. After, I have tried to start another pflogd > instance with "-s 256 -i pflog1 -f /tmp/test.log": > > 25317 ?? S 0:49.58 pflogd: [running] -s 256 -i pflog1 -f > /tmp/test.log (pflogd) > 13851 ?? Ss 0:00.23 ntpd: ntp engine (ntpd) > 16445 ?? Is 0:00.03 ntpd: dns engine (ntpd) > 11227 ?? Ss 0:00.02 ntpd: [priv] (ntpd) > 21752 ?? Is 0:00.05 /usr/sbin/sshd > 14014 ?? Ss 0:00.30 sendmail: accepting connections (sendmail) > 14724 ?? Is 0:00.01 /usr/sbin/ftp-proxy > 14277 ?? Ss 0:00.04 /usr/sbin/cron > 11070 ?? Ss 0:35.46 sshd: root@ttyp0 (sshd) > 18112 ?? Is 0:00.01 pflogd: [priv] (pflogd) > 14997 ?? S 0:01.08 pflogd: [running] -s 256 -i pflog0 -f > /var/log/pflog (pflogd) > > .. but it doesn't works. /var/log/pflog doesn't register activitvy > (pflog0 and pflog1 interfaces are up) Do you have PF rules causing writes to go to the relevant pflog interface? Do you see anything with tcpdump -neipflog0 / tcpdump -neipflog1?
