Martin,
The solution in the FAQ was ok for 3.8 but things changed in 3.9.
For now if you run the script underneath from root's crontab every 5
minutes you'll most likely be ok.
There should be a check in the script to see if it is already running to
prevent another instance starting when the old one hasn't finished yet.
The check in the script in the FAQ was actually not working anyway so if
the script in the FAQ wasn't causing any problems this one will be ok too.
With this script there is just one script and no need for the user
pflogger anymore as everything is done as root. This allows tcpdump to
privsep which makes things safer.
/etc/pflogrotate:
#!/bin/sh
# rotate pflog file and feed to syslog
FILE=/var/log/pflog5min.$(date "+%Y%m%d%H%M")
kill -ALRM $(cat /var/run/pflogd.pid)
if [ $(ls -l /var/log/pflog | cut -d " " -f 8) -gt 24 ]; then
mv /var/log/pflog $FILE
kill -HUP $(cat /var/run/pflogd.pid)
tcpdump -n -e -ttt -r $FILE | logger -p local0.info
rm $FILE
fi
Hope this helps!
Daniel
==== Original message from Martin Schrvder at 28-5-2006 20:45
2006/5/28, Henning Brauer <[EMAIL PROTECTED]>:
> What's wrong here? Bug in the FAQ?
you have to start tcpdump as root so it can run privilege seperated and
you don't have the scary decoders running with any real user's privs.
So it's a bug in the FAQ (faq/pf/logging.html), as that solution
doesn't work anymore.
