Solved Bash script need to log to /var/log/messages

I wrote a small bash script that parses my /var/log/auth.log, creates an array of IP addresses that have "exceeded maximum authentication attempts", cross references those to pfctl -t bruteforce -T show and adds any new addresses in the log file to the bruteforce persist file... I've done this because I've noticed that since I added the persist file and overflow line recommended at https://www.freebsd.org/doc/handbook/firewalls-pf.html which looks like this:
Code:
pass in log quick on $ext_if inet proto tcp from any \
        to { $ext_ip, $localnet } port 22 \
        flags S/SA keep state \
        (max-src-conn 5, max-src-conn-rate 3/9, \
        overload <bruteforce> flush global)
, I have noticed my logs filling up with low volume attacks spaced out to not trip the overflow line.

I have two questions...

#1. How do I have this script inject messages into /var/log/messages to let me know what addresses it has added?

#2. Regardless of how many ways I try, I cannot get this script to redirect the output from pfctl to /dev/null. I always see the output on the screen stating 1/1 addresses were added.

This is the bit of code:
Code:
for (( c=0; c<${#NewIP[@]}; c++ )); do
  pfctl -t $OverflowFile -T add ${NewIP[$c]} &>/dev/null
done

Any ideas why this isn't working?
 
This is admittedly an incomplete answer, but maybe you could use the logger facility and specify a priority for the message with the -p switch (which determines where the message is logged to).

I use that method to log exit statuses of my weekly backups on Linux. I have something like this in my backups scripts:
Code:
logger -ip syslog.info "files and profiles backed up successfully"

That injects a line in syslog saying ... well you see what it says :p. I don't remember where I've seen it, but there's a config file where you can specify which log those messages get sent to.

Also, it might be the case that stderr is being redirected correctly in your current configuration, but a different utility is posting it to console as well (that's a feature in logger or syslog; I forget which).
 
Here's what I was talking about: syslogd.

/etc/syslog.conf
Code:
# $FreeBSD: releng/10.3/etc/syslog.conf 260519 2014-01-10 17:56:23Z asomers $
#
#       Spaces ARE valid field separators in this file. However,
#       other *nix-like systems still insist on using tabs as field
#       separators. If you are sharing this file between systems, you
#       may want to use only tabs as field separators here.
#       Consult the syslog.conf(5) manpage.
*.err;kern.warning;auth.notice;mail.crit                /dev/console
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err   /var/log/messages
So you could probably use a [, and just execute a logger command line with syslog.notice as its priority.
 
Back
Top