PF logging - BSD

This is a discussion on PF logging - BSD ; I just installed OBSD 4.3 for i386 and I'm playing with PF. I would like to only generate PF log output to /dev/console, and I want to change the format slightly. I modified pflog_flags in rc.conf to be "-f /dev/null" ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: PF logging

  1. PF logging

    I just installed OBSD 4.3 for i386 and I'm playing with PF. I would
    like to only generate PF log output to /dev/console, and I want to change the
    format slightly. I modified pflog_flags in rc.conf to be "-f /dev/null" and
    I created a Perl script:

    http://www.ecr6.ohio-state.edu/~davism/dump2log.pl

    I have a suitable set of PF rules that log various activities and I get the
    desired output interactively with...

    # tcpdump -s 116 -n -l -e -i pflog0|perl dump2log.pl

    I have this line in syslog.conf:

    local0.info /dev/console

    Now, I can generate PF log messages to the console with...

    # tcpdump -s 116 -n -l -e -i pflog0|logger -t pfmon -p local0.info

    So far, so good. The problem comes in when I combine all three
    commands in a pipeline:

    # tcpdump ...|perl ...|logger ...

    When I try this, nothing shows up on /dev/console. I have the feeling I'm
    overlooking something obvious, but it's escaping me. Can anyone help? FWIW,
    when I interrupt the last line with Ctrl-C after generating some network
    traffic I know should trigger logging, I do see "N packets received by filter",
    where N is the number of packets that tcpdump found and supposedly printed.
    With tcpdump piped only into perl OR logger (or by itself), that number is
    consistent.

    Thanks,
    Mike
    --
    | Systems Specialist: CBE,MSE
    Michael T. Davis (Mike) | Departmental Networking/Computing
    http://www.ecr6.ohio-state.edu/~davism/ | The Ohio State University
    | 197 Watts, (614) 292-6928

  2. Re: PF logging

    --{ Michael T. Davis a plopé ceci: }--

    > # tcpdump ...|perl ...|logger ...
    >
    > When I try this, nothing shows up on /dev/console. I have the feeling I'm
    > overlooking something obvious, but it's escaping me. Can anyone help?


    Just my two milli-euros. You can try flushing stdout in you perl
    script after every lines. You can found more informations about
    that in "perldoc perlfaq5". Basic code for auto-flush is

    $| = 1;

    near the beginning of your perl script.

    --
    En effet, dans l'épreuve du pédalage dans la semoule, la merguez est le
    témoin à passer tout a fait adapté.

  3. Re: PF logging

    Begin <6q6fp5-mdq.ln1@prout.stex>
    On Mon, 8 Sep 2008 11:11:02 +0200, Thierry B. wrote:
    > --{ Michael T. Davis a plopé ceci: }--
    >> # tcpdump ...|perl ...|logger ...
    >>
    >> When I try this, nothing shows up on /dev/console. I have the feeling I'm
    >> overlooking something obvious, but it's escaping me. Can anyone help?

    >
    > Just my two milli-euros. You can try flushing stdout in you perl
    > script after every lines. You can found more informations about
    > that in "perldoc perlfaq5". Basic code for auto-flush is
    >
    > $| = 1;
    >
    > near the beginning of your perl script.


    Also see the -l option to tcpdump.


    --
    j p d (at) d s b (dot) t u d e l f t (dot) n l .
    This message was originally posted on Usenet in plain text.
    Any other representation, additions, or changes do not have my
    consent and may be a violation of international copyright law.

  4. Re: PF logging


    In article <6q6fp5-mdq.ln1@prout.stex>, "Thierry B."
    writes:

    >--{ Michael T. Davis a plopé ceci: }--
    >
    >> # tcpdump ...|perl ...|logger ...
    >>
    >> When I try this, nothing shows up on /dev/console. I have the feeling I'm
    >> overlooking something obvious, but it's escaping me. Can anyone help?

    >
    > Just my two milli-euros. You can try flushing stdout in you perl
    > script after every lines. You can found more informations about
    > that in "perldoc perlfaq5". Basic code for auto-flush is
    >
    >$| = 1;
    >
    > near the beginning of your perl script.


    That seems to have done the trick...thanks.

    >
    >--
    >En effet, dans l'épreuve du pédalage dans la semoule, la merguez est le
    >témoin à passer tout a fait adapté.


    Regards,
    Mike
    --
    | Systems Specialist: CBE,MSE
    Michael T. Davis (Mike) | Departmental Networking/Computing
    http://www.ecr6.ohio-state.edu/~davism/ | The Ohio State University
    | 197 Watts, (614) 292-6928

  5. Re: PF logging


    In article , jpd
    writes:

    >Begin <6q6fp5-mdq.ln1@prout.stex>
    >On Mon, 8 Sep 2008 11:11:02 +0200, Thierry B. wrote:
    >> --{ Michael T. Davis a plopé ceci: }--
    >>> # tcpdump ...|perl ...|logger ...
    >>>
    >>> When I try this, nothing shows up on /dev/console. I have the feeling I'm
    >>> overlooking something obvious, but it's escaping me. Can anyone help?

    >>
    >> Just my two milli-euros. You can try flushing stdout in you perl
    >> script after every lines. You can found more informations about
    >> that in "perldoc perlfaq5". Basic code for auto-flush is
    >>
    >> $| = 1;
    >>
    >> near the beginning of your perl script.

    >
    >Also see the -l option to tcpdump.


    Um...if you look at my original post, you'll see I was already doing
    that. The issue seems to have been resolved by flushing the output stream in
    Perl as suggested earlier.

    >
    >
    >--
    > j p d (at) d s b (dot) t u d e l f t (dot) n l .
    > This message was originally posted on Usenet in plain text.
    > Any other representation, additions, or changes do not have my
    > consent and may be a violation of international copyright law.


    Regards,
    Mike
    --
    | Systems Specialist: CBE,MSE
    Michael T. Davis (Mike) | Departmental Networking/Computing
    http://www.ecr6.ohio-state.edu/~davism/ | The Ohio State University
    | 197 Watts, (614) 292-6928

+ Reply to Thread