Re: [pfSense-discussion] Detailled syslog format.

2008-03-27 Thread Chris Buechler 

[EMAIL PROTECTED] wrote:


Hi

I'm trying to do some analysing on the raw log format sent to syslog:



snip

check out pflog.
http://www.openbsd.org/faq/pf/logging.html

http://www.google.com/search?q=pflog

quite a bit of stuff available.

for the underlying ruleset you're running, see status.php.

[pfSense-discussion] Detailled syslog format.

2008-03-26 Thread [EMAIL PROTECTED] 
Hi

I'm trying to do some analysing on the raw log format sent to syslog:

2008-03-27 04:32:48.433 +01:00  10.20.30.2:514  local0.info Mar 27
05:32:39 pf: 036068 rule 74/0(match): pass in on vr1: (tos 0x0, ttl 128,
id 40459, offset 0, flags [DF], proto: TCP (6), length: 48)
10.20.30.104.3848  208.67.180.236.80: S, cksum 0x133d (correct),
3737710370:3737710370(0) win 65535 mss 1460,nop,nop,sackOK 

2008-03-27 04:34:20.531 +01:00  10.20.30.2:514  local0.info Mar 27
05:34:11 pf: 92. 202481 rule 122/0(match): block in on vr0: (tos 0x0,
ttl  52, id 60316, offset 0, flags [DF], proto: TCP (6), length: 48)
195.69.130.87.80  88.89.90.187.58737: S, cksum 0x24b9 (correct),
2830268228:2830268228(0) ack 1965340180 win 5840 mss
1460,nop,nop,sackOK 

2008-03-27 04:34:21.544 +01:00  10.20.30.2:514  local0.info Mar 27
05:34:12 pf: 399259 rule 122/0(match): block in on vr0: (tos 0x0, ttl
52, id 37849, offset 0, flags [DF], proto: TCP (6), length: 48)
195.69.130.87.80  88.89.90.187.52560: S, cksum 0xd882 (correct),
2841978833:2841978833(0) ack 3351844487 win 5840 mss
1460,nop,nop,sackOK 

2008-03-27 04:34:21.544 +01:00  10.20.30.2:514  local0.info Mar 27
05:34:12 pf: 399827 rule 122/0(match): block in on vr0: (tos 0x0, ttl
52, id 35836, offset 0, flags [DF], proto: TCP (6), length: 48)
195.69.130.87.80  88.89.90.187.64369: S, cksum 0x2bb6 (correct),
2840432129:2840432129(0) ack 3463784558 win 5840 mss
1460,nop,nop,sackOK 

2008-03-27 04:40:00.944 +01:00  10.20.30.2:514  local0.info Mar 27
05:39:51 pf: 338. 530700 rule 74/0(match): pass in on vr1: (tos 0x0, ttl
128, id 49367, offset 0, flags [DF], proto: TCP (6), length: 48)
10.20.30.104.4299  66.35.250.150.80: S, cksum 0x8e53 (correct),
3051086764:3051086764(0) win 65535 mss 1460,nop,nop,sackOK 

and I wonder where to find documentation on the log format. I'm
especially puzzled by the header 

92. 202481 rule 122/0(match):

I guess that the rule 122/0 is a reference to the underlying filterset
pfSense generates but how do I see that set ?
What are the two other numbers ? As you see above the first number is
not always present ?

Thanks
Claus