[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pf-log with syslog
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: pf-log with syslog
- From: "Arvid Grøtting" <arvidg_(_at_)_netfonds_(_dot_)_no>
- Date: Mon, 11 Feb 2002 13:41:44 +0100
- Cancel-lock: sha1:warcFRfRwgvsg0Ds6TfqLpT+Ges=
- Mail-copies-to: never
- Newsgroups: gmane.openbsd.misc
- Organization: No such thing.
Matt Sauve-Frankel <baud_(_at_)_philosophiebleue_(_dot_)_com> writes:
> On Fri, Feb 08, 2002 at 03:56:37PM +0100, Arvid Grøtting wrote:
>> You could set up a process to do something like
>> tcpdump -i pflog0 -e -n -v | logger -t pf
> This probably isn't very sane.
I'm not either, so that makes sense then. ;-)
> Tcpdump has a history of security problems, you may not
> want to depend on it decoding packets in realtime running as root.
Indeed. You might not want to run it as root (all you need is read
access to /dev/bpf?), and you may also want to run it niced. Also,
you don't want your logging to create additional log entries, so make
sure the log traffic doesn't match any logging rules. You might even
want to log to a dedicated network interface.
> It's probably better to move the log files of the firewall at
> rotation time and analyze them on a separate machine with tcpdump
> or snort running as unpriviledged user.
Unless, for one reason or another, you really, really *want*
almost-real-time logging. From several firewalls at once, perhaps.
Inline with other logs (including the snort log from your IDS probe),
I'm not advocating this as "best practice" or anything; I'm merely
pointing out that it's near-trivial to do if you want it.