Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

PF logging

3 views
Skip to first unread message

Michael T. Davis

unread,
Sep 8, 2008, 2:52:53 AM9/8/08
to
I just installed OBSD 4.3 for i386 and I'm playing with PF. I would
like to only generate PF log output to /dev/console, and I want to change the
format slightly. I modified pflog_flags in rc.conf to be "-f /dev/null" and
I created a Perl script:

http://www.ecr6.ohio-state.edu/~davism/dump2log.pl

I have a suitable set of PF rules that log various activities and I get the
desired output interactively with...

# tcpdump -s 116 -n -l -e -i pflog0|perl dump2log.pl

I have this line in syslog.conf:

local0.info /dev/console

Now, I can generate PF log messages to the console with...

# tcpdump -s 116 -n -l -e -i pflog0|logger -t pfmon -p local0.info

So far, so good. The problem comes in when I combine all three
commands in a pipeline:

# tcpdump ...|perl ...|logger ...

When I try this, nothing shows up on /dev/console. I have the feeling I'm
overlooking something obvious, but it's escaping me. Can anyone help? FWIW,
when I interrupt the last line with Ctrl-C after generating some network
traffic I know should trigger logging, I do see "N packets received by filter",
where N is the number of packets that tcpdump found and supposedly printed.
With tcpdump piped only into perl OR logger (or by itself), that number is
consistent.

Thanks,
Mike
--
| Systems Specialist: CBE,MSE
Michael T. Davis (Mike) | Departmental Networking/Computing
http://www.ecr6.ohio-state.edu/~davism/ | The Ohio State University
| 197 Watts, (614) 292-6928

Thierry B.

unread,
Sep 8, 2008, 5:11:02 AM9/8/08
to
--{ Michael T. Davis a plopé ceci: }--

> # tcpdump ...|perl ...|logger ...
>
> When I try this, nothing shows up on /dev/console. I have the feeling I'm
> overlooking something obvious, but it's escaping me. Can anyone help?

Just my two milli-euros. You can try flushing stdout in you perl
script after every lines. You can found more informations about
that in "perldoc perlfaq5". Basic code for auto-flush is

$| = 1;

near the beginning of your perl script.

--
En effet, dans l'épreuve du pédalage dans la semoule, la merguez est le
témoin à passer tout a fait adapté.

jpd

unread,
Sep 8, 2008, 5:50:23 AM9/8/08
to
Begin <6q6fp5-...@prout.stex>

On Mon, 8 Sep 2008 11:11:02 +0200, Thierry B. <t...@prout.stex.invalid> wrote:
> --{ Michael T. Davis a plopé ceci: }--
>> # tcpdump ...|perl ...|logger ...
>>
>> When I try this, nothing shows up on /dev/console. I have the feeling I'm
>> overlooking something obvious, but it's escaping me. Can anyone help?
>
> Just my two milli-euros. You can try flushing stdout in you perl
> script after every lines. You can found more informations about
> that in "perldoc perlfaq5". Basic code for auto-flush is
>
> $| = 1;
>
> near the beginning of your perl script.

Also see the -l option to tcpdump.


--
j p d (at) d s b (dot) t u d e l f t (dot) n l .
This message was originally posted on Usenet in plain text.
Any other representation, additions, or changes do not have my
consent and may be a violation of international copyright law.

Michael T. Davis

unread,
Sep 8, 2008, 11:37:21 AM9/8/08
to

In article <6q6fp5-...@prout.stex>, "Thierry B." <t...@prout.stex.invalid>
writes:

>--{ Michael T. Davis a plopé ceci: }--
>
>> # tcpdump ...|perl ...|logger ...
>>
>> When I try this, nothing shows up on /dev/console. I have the feeling I'm
>> overlooking something obvious, but it's escaping me. Can anyone help?
>
> Just my two milli-euros. You can try flushing stdout in you perl
> script after every lines. You can found more informations about
> that in "perldoc perlfaq5". Basic code for auto-flush is
>
>$| = 1;
>
> near the beginning of your perl script.

That seems to have done the trick...thanks.

>
>--
>En effet, dans l'épreuve du pédalage dans la semoule, la merguez est le
>témoin à passer tout a fait adapté.

Regards,

Michael T. Davis

unread,
Sep 8, 2008, 11:39:18 AM9/8/08
to

In article <slrngc9tav.136...@mantell0.local>, jpd
<read_t...@do.not.spam.it.invalid> writes:

>Begin <6q6fp5-...@prout.stex>
>On Mon, 8 Sep 2008 11:11:02 +0200, Thierry B. <t...@prout.stex.invalid> wrote:
>> --{ Michael T. Davis a plopé ceci: }--
>>> # tcpdump ...|perl ...|logger ...
>>>
>>> When I try this, nothing shows up on /dev/console. I have the feeling I'm
>>> overlooking something obvious, but it's escaping me. Can anyone help?
>>
>> Just my two milli-euros. You can try flushing stdout in you perl
>> script after every lines. You can found more informations about
>> that in "perldoc perlfaq5". Basic code for auto-flush is
>>
>> $| = 1;
>>
>> near the beginning of your perl script.
>
>Also see the -l option to tcpdump.

Um...if you look at my original post, you'll see I was already doing
that. The issue seems to have been resolved by flushing the output stream in
Perl as suggested earlier.

>
>
>--
> j p d (at) d s b (dot) t u d e l f t (dot) n l .
> This message was originally posted on Usenet in plain text.
> Any other representation, additions, or changes do not have my
> consent and may be a violation of international copyright law.

Regards,

0 new messages