I was looking around for instructions on how to send logs of pf() to syslog and didn't find any I'd really like. All I wanted was something reliable, realtime, and simple.
I came up with the following setup that I felt fulfilled everything I wanted.
syslog-ng(8) listens on the other end and sends the logs to a remote location over the port TCP/601 in realtime.
To check how everything is going, run
Here, /service/pf2syslog/ is the tcpdump process, and /service/pf2syslog/log/ is the logger process. sysutils/daemontools handle the pipe from the first process to the second one.
I came up with the following setup that I felt fulfilled everything I wanted.
Code:
portmaster sysutils/daemontools
mkdir -p /service
cat >> /etc/rc.conf << __EOF__
svscan_enable="YES"
svscan_servicedir="/service"
__EOF__
service svscan start
mkdir -p /var/service/pf2syslog/log
cat >> /var/service/pf2syslog/run << __EOF__
#!/bin/sh
exec 2> /dev/null
exec /usr/sbin/tcpdump -nn -e -l -tttt -i pflog0 -s 0
__EOF__
chmod +x /var/service/pf2syslog/run
cat >> /var/service/pf2syslog/log/run << __EOF__
#!/bin/sh
exec /usr/bin/logger -p local0.notice -i -t pf2syslog
__EOF__
chmod +x /var/service/pf2syslog/log/run
ln -s /var/service/pf2syslog /service/
syslog-ng(8) listens on the other end and sends the logs to a remote location over the port TCP/601 in realtime.
To check how everything is going, run
Code:
# svstat /service/pf2syslog/ /service/pf2syslog/log/
/service/pf2syslog/: up (pid 3578) 1066 seconds
/service/pf2syslog/log/: up (pid 3577) 1066 seconds
Here, /service/pf2syslog/ is the tcpdump process, and /service/pf2syslog/log/ is the logger process. sysutils/daemontools handle the pipe from the first process to the second one.