syslog support for OpenBSD pflogd


Introduction

This little hack adds a support for logging via syslog for the OpenBSD packet filter logging daemon, pflogd. It is a kind of minimal tcpdump + logger integrated in pflogd. The goal here is to create more efficient and more secure real-time logging for small applications, such as Soekris Engineering Net4501. It is not officially supported by the OpenBSD project - I strongly suggest you to examine the code before you apply this thing on production systems! I have tried to keep thing small and simple, but sniffing is very dangerous business these days..

The patch implements a bare bones parser for the following traffic:

These examples might look like this in the actual syslog file

Mar  9 10:40:57 fw pflogd[9]: rule 1/0(match): block in on xl0: icmp: 10.10.10.1 -> 10.10.10.2 type 8/0
Mar  9 10:40:57 fw pflogd[9]: rule 1/0(match): block in on xl0: tcp: 10.10.10.1:25445 -> 10.10.10.2:23 flags S (DF)
Mar  9 10:40:57 fw pflogd[9]: rule 1/0(match): block in on xl0: udp: 10.10.10.1:32484 -> 10.10.10.2:53
Mar  9 10:40:57 fw pflogd[9]: rule 1/0(match): block in on xl0: icmp6: ::1 -> ::1 type 128/0
Mar  9 10:40:57 fw pflogd[9]: rule 1/0(match): block in on xl0: ip-frag: 10.10.10.2 -> 10.10.10.1

IP addresses (v4/v6) and port numbers are presented in a numerical form - no name resolving is done. (DF) at the end of the line means that "Dont Fragment" bit was set in the IP header.

How to use

Download the package, untar it somewhare, run "make" and optionally, "make install". That's all - it compiles cleanly at least on my 3.2 and 3.3 systems (x86 and sparc64).

New command line options:

-S Enable the syslog feature.
-F facility Set syslog facility. Syslog level is determined automatically, depending on the message.
-u user Become as user after opening the filtering socket. This option has no effect when logging to file.

Example usage:

# pflogd -S -F local0 -u nobody 

Download

Download the current pflogd snapshot

Feedback

Bug reports, discussion, etc.: Sorry, you have to write it!.



Last updated Mar 11, 2003 Home