Send pf logs to syslog (mini HOWTO)

M

marwis

I was looking around for instructions on how to send logs of pf() to syslog and didn't find any I'd really like. All I wanted was something reliable, realtime, and simple.

I came up with the following setup that I felt fulfilled everything I wanted.

Code: 
portmaster sysutils/daemontools
mkdir -p /service

cat >> /etc/rc.conf << __EOF__
svscan_enable="YES"
svscan_servicedir="/service"
__EOF__

service svscan start

mkdir -p /var/service/pf2syslog/log

cat >> /var/service/pf2syslog/run << __EOF__
#!/bin/sh
exec 2> /dev/null
exec /usr/sbin/tcpdump -nn -e -l -tttt -i pflog0 -s 0
__EOF__
chmod +x /var/service/pf2syslog/run

cat >> /var/service/pf2syslog/log/run << __EOF__
#!/bin/sh
exec /usr/bin/logger -p local0.notice -i -t pf2syslog
__EOF__
chmod +x /var/service/pf2syslog/log/run

ln -s /var/service/pf2syslog /service/

syslog-ng(8) listens on the other end and sends the logs to a remote location over the port TCP/601 in realtime.

To check how everything is going, run

Code: 
# svstat /service/pf2syslog/ /service/pf2syslog/log/
/service/pf2syslog/: up (pid 3578) 1066 seconds
/service/pf2syslog/log/: up (pid 3577) 1066 seconds

Here, /service/pf2syslog/ is the tcpdump process, and /service/pf2syslog/log/ is the logger process. sysutils/daemontools handle the pipe from the first process to the second one.
 
  • Thanks
Reactions: kpa
I'm newbie, this post was no so useful for me.
I want to send pf logs to remote syslog
Where can I find guide for this purpose?
 
There are some differences between FreeBSD and OpenBSD as far as PF underneath the hood and how rules are done, but on this one in particular I would imagine the OpenBSD FAQ would be quite close. Looking at "Packet Logging Through Syslog", I don't see anything that stands out as being an issue on FreeBSD.
http://www.openbsd.org/faq/pf/logging.html
 
You must log in or register to reply here.
Back
Top