Todd Gruhn <tgru...@gmail.com> writes: > Logging. > can I set/use npf.log? > > Do I need to add a line to syslog.conf ? > I used this to tell ipf to log-here. > > Why cant I see either ipf/npf when I do 'ps -aux' ?
IPF and NPF log in very different ways. For NPF you need to put this: procedure "log" { log: npflog0 } in your /etc/npf.conf file and then on every rule you want to have a log entry you put a 'apply "log"' directive. Something like this: block out family inet4 to any port $xennet4_tcp_udp apply "log" I believe that there are examples in the npf.conf(5) man page and /usr/share/examples/npf. With the above, you will get another network interface called npflog0 that you can tcpdump against and see what was logged, as NPF logs actual packets. There is no text file output and nothing for syslog. If you want a file to automatically be created, you can run npfd. See the npfd(8) man page for examples on how to do this. This will create a binary file that you can feed into tcpdump to decode the logged packet. Again, there is no text output. With NPF, what is logged is the actual packet, plus some additional meta data about which rule fired. See the man pages for more information. For IPF, the logging is done with ipmon which can be instructed to log to a certain syslog facility, which can be put into a file, or whatever, by syslogd. In either the NPF or IPF case, there won't be a daemon running for the firewall / NAT parts. For NPF, there might not be a daemon running for logging either, if you don't case about file output. If your only interest is in real time logs then just tcpdump the npflog interface. Note that since this is a NIC, more than one process can tcpdump it and nothing will be lost. For IPF, ipmon has to be running correctly to get log output and only one ipmon can be running. If you have more than one running, they will steal information from each other (like say, you have one running the output to a file and one running the output to stdout, you won't get everything from either of them). For NPF, you can do some clever stuff with tcpdump against the npflog interface where that output is piped into something else and maybe, for example, sent to Elasticsearch to be viewed and digested in detail. For IPF, the same thing can happen with ipmon, which can send its output to stdout and onto something, for example, like Elasticsearch. Etc.. etc.. etc.. -- Brad Spencer - b...@anduin.eldar.org - KC8VKS - http://anduin.eldar.org