Re: Managing PF logs

Fri, 07 Aug 2020 07:32:17 -0700 

Hello, 

I use logstash with an input like this :

input {
  pipe {
    type => "pflog"
    command => "doas /usr/sbin/tcpdump -l -v -n -n -e -s 160 -tt -i pflog0"
  }
}

--
Cordialement,
Pierre BARDOU

-----Message d'origine-----
De : owner-m...@openbsd.org <owner-m...@openbsd.org> De la part de Peter N. M. 
Hansteen
Envoyé : vendredi 7 août 2020 13:10
À : misc@openbsd.org
Objet : Re: Managing PF logs

On Fri, Aug 07, 2020 at 10:29:32AM +0000, Carlos Lopez wrote:
> Hi all,
> 
>  I am thinking about how could be the best option to inject PF logs in 
> Elasticsearch (or any similar platform). If I am not wrong, some years ago 
> there is an option using a shell wrapper to store all pf logs in ASCII format 
> and redirect all of them to a central syslog server (published in PF FAQ). 
> More or less it is what I am looking for.
> 
>  But maybe exists another best option in nowadays. Any ideas? Tips?

As Tom said, it is possible to use tcpdump to convert to text, then forward to 
syslog.
The example from the old PF tutorial 
https://home.nuug.no/~peter/pf/newest/log2syslog.html
should still work.

All the best,

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team 
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember 
to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.


_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations 
confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce 
message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages 
electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou 
falsifie. Merci.

This message and its attachments may contain confidential or privileged 
information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete 
this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been 
modified, changed or falsified.
Thank you.

Reply via email to