On Sun, Aug 19, 2012 at 12:25 PM, Stuart Henderson <s...@spacehopper.org> wrote: > On 2012-08-14, C. L. Martinez <carlopm...@gmail.com> wrote: >> Hi all, >> >> I have some rules that I would like to redirect in syslog format to a >> log file. I don't need to touch /var/log/pflog. To accomplish this I >> have tried to start pflogd daemon with the following options: >> >> "-s 256 -i pflog0 -f /var/log/pflog -i pflog1 -f /tmp/test.log" > > I don't believe a single pflogd process can run on multiple interfaces, > I think you would need to run a second process for pflog1. > >> ... but it doesn't works. After, I have tried to start another pflogd >> instance with "-s 256 -i pflog1 -f /tmp/test.log": >> >> 25317 ?? S 0:49.58 pflogd: [running] -s 256 -i pflog1 -f >> /tmp/test.log (pflogd) >> 13851 ?? Ss 0:00.23 ntpd: ntp engine (ntpd) >> 16445 ?? Is 0:00.03 ntpd: dns engine (ntpd) >> 11227 ?? Ss 0:00.02 ntpd: [priv] (ntpd) >> 21752 ?? Is 0:00.05 /usr/sbin/sshd >> 14014 ?? Ss 0:00.30 sendmail: accepting connections (sendmail) >> 14724 ?? Is 0:00.01 /usr/sbin/ftp-proxy >> 14277 ?? Ss 0:00.04 /usr/sbin/cron >> 11070 ?? Ss 0:35.46 sshd: root@ttyp0 (sshd) >> 18112 ?? Is 0:00.01 pflogd: [priv] (pflogd) >> 14997 ?? S 0:01.08 pflogd: [running] -s 256 -i pflog0 -f >> /var/log/pflog (pflogd) >> >> .. but it doesn't works. /var/log/pflog doesn't register activitvy >> (pflog0 and pflog1 interfaces are up) > > Do you have PF rules causing writes to go to the relevant pflog interface?
Yes, I have two rules that redirects logs to pflog1 using (log all, to pflog1) ... > > Do you see anything with tcpdump -neipflog0 / tcpdump -neipflog1? Yes I see logs in this interface (pflog1) and in on pflog0. At interface level all it is correct, problem is with /var/log/pflog log file. It doesn't register nothing ...
