I want to get logs from my pf firewall sorted into their own log file. I was able to do this pretty easily with ipfw, and got log lines like:
For pf, it looks like Apple neglected to include a working pflogd, so we need to create our own, like:
That results in lines in system.log that look like:
That make sit kind of tough to write ASL rules who the heck is the "sender"? Not kernel.
logger includes the ability to send to a given log facility, but I have no idea how OSX handles traditional syslog messages. /etc/syslog.conf has been pretty much abandoned. /etc/newsyslog.conf is used for rotation
So, I'd like to get logger to:
1. not echo the pid after 'pf' - That doesn't help me.
2. skip writing out the FQDN. hostname is plenty.
3. be able to write a rule in /etc/asl.conf that will catch these messages.
Thanks for any help!
Code:
Mar 5 11:34:44 flamingo kernel[0] <Debug>: ipfw: 65534 Deny ICMP:3.10 192.168.4.233 192.168.92.60 in via en0For pf, it looks like Apple neglected to include a working pflogd, so we need to create our own, like:
Code:
/sbin/ifconfig pflog0 create
/usr/sbin/tcpdump -lnettti pflog0 | /usr/bin/logger -t pfThat results in lines in system.log that look like:
Code:
Mar 5 11:57:50 flamingo.mydomain.com pf[51938]: 00:00:00.000000 rule 1/8(ip-option): pass in on en0: 172.24.32.41 > 224.0.0.1: igmp query v2That make sit kind of tough to write ASL rules who the heck is the "sender"? Not kernel.
logger includes the ability to send to a given log facility, but I have no idea how OSX handles traditional syslog messages. /etc/syslog.conf has been pretty much abandoned. /etc/newsyslog.conf is used for rotation
So, I'd like to get logger to:
1. not echo the pid after 'pf' - That doesn't help me.
2. skip writing out the FQDN. hostname is plenty.
3. be able to write a rule in /etc/asl.conf that will catch these messages.
Thanks for any help!