1315a7da3SJan Lentfer.\" $OpenBSD: pflogd.8,v 1.35 2007/05/31 19:19:47 jmc Exp $ 295cc27f0SJoerg Sonnenberger.\" 395cc27f0SJoerg Sonnenberger.\" Copyright (c) 2001 Can Erkin Acar. All rights reserved. 495cc27f0SJoerg Sonnenberger.\" 595cc27f0SJoerg Sonnenberger.\" Redistribution and use in source and binary forms, with or without 695cc27f0SJoerg Sonnenberger.\" modification, are permitted provided that the following conditions 795cc27f0SJoerg Sonnenberger.\" are met: 895cc27f0SJoerg Sonnenberger.\" 1. Redistributions of source code must retain the above copyright 995cc27f0SJoerg Sonnenberger.\" notice, this list of conditions and the following disclaimer. 1095cc27f0SJoerg Sonnenberger.\" 2. Redistributions in binary form must reproduce the above copyright 1195cc27f0SJoerg Sonnenberger.\" notice, this list of conditions and the following disclaimer in the 1295cc27f0SJoerg Sonnenberger.\" documentation and/or other materials provided with the distribution. 1395cc27f0SJoerg Sonnenberger.\" 3. The name of the author may not be used to endorse or promote products 1495cc27f0SJoerg Sonnenberger.\" derived from this software without specific prior written permission. 1595cc27f0SJoerg Sonnenberger.\" 1695cc27f0SJoerg Sonnenberger.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 1795cc27f0SJoerg Sonnenberger.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 1895cc27f0SJoerg Sonnenberger.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 1995cc27f0SJoerg Sonnenberger.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 2095cc27f0SJoerg Sonnenberger.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 2195cc27f0SJoerg Sonnenberger.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 2295cc27f0SJoerg Sonnenberger.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 2395cc27f0SJoerg Sonnenberger.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 2495cc27f0SJoerg Sonnenberger.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 2595cc27f0SJoerg Sonnenberger.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 2695cc27f0SJoerg Sonnenberger.\" 275ab89169SSascha Wildner.Dd September 9, 2010 2895cc27f0SJoerg Sonnenberger.Dt PFLOGD 8 2995cc27f0SJoerg Sonnenberger.Os 3095cc27f0SJoerg Sonnenberger.Sh NAME 3195cc27f0SJoerg Sonnenberger.Nm pflogd 3295cc27f0SJoerg Sonnenberger.Nd packet filter logging daemon 3395cc27f0SJoerg Sonnenberger.Sh SYNOPSIS 345ab89169SSascha Wildner.Nm 35315a7da3SJan Lentfer.Bk -words 365ab89169SSascha Wildner.Op Fl \&Dx 3795cc27f0SJoerg Sonnenberger.Op Fl d Ar delay 3895cc27f0SJoerg Sonnenberger.Op Fl f Ar filename 39c929e0dfSJan Lentfer.Op Fl i Ar interface 40315a7da3SJan Lentfer.Op Fl p Ar pidfile 4195cc27f0SJoerg Sonnenberger.Op Fl s Ar snaplen 4295cc27f0SJoerg Sonnenberger.Op Ar expression 43315a7da3SJan Lentfer.Ek 4495cc27f0SJoerg Sonnenberger.Sh DESCRIPTION 4595cc27f0SJoerg Sonnenberger.Nm 4695cc27f0SJoerg Sonnenbergeris a background daemon which reads packets logged by 4795cc27f0SJoerg Sonnenberger.Xr pf 4 48c929e0dfSJan Lentferto a 49c929e0dfSJan Lentfer.Xr pflog 4 50c929e0dfSJan Lentferinterface, normally 51c929e0dfSJan Lentfer.Pa pflog0 , 5295cc27f0SJoerg Sonnenbergerand writes the packets to a logfile (normally 5395cc27f0SJoerg Sonnenberger.Pa /var/log/pflog ) 5495cc27f0SJoerg Sonnenbergerin 55b958492bSSascha Wildner.Xr tcpdump 1 5695cc27f0SJoerg Sonnenbergerbinary format. 5795cc27f0SJoerg SonnenbergerThese logs can be reviewed later using the 5895cc27f0SJoerg Sonnenberger.Fl r 5995cc27f0SJoerg Sonnenbergeroption of 60b958492bSSascha Wildner.Xr tcpdump 1 , 6195cc27f0SJoerg Sonnenbergerhopefully offline in case there are bugs in the packet parsing code of 62b958492bSSascha Wildner.Xr tcpdump 1 . 6395cc27f0SJoerg Sonnenberger.Pp 6495cc27f0SJoerg Sonnenberger.Nm 6595cc27f0SJoerg Sonnenbergercloses and then re-opens the log file when it receives 6695cc27f0SJoerg Sonnenberger.Dv SIGHUP , 6795cc27f0SJoerg Sonnenbergerpermitting 6895cc27f0SJoerg Sonnenberger.Xr newsyslog 8 6995cc27f0SJoerg Sonnenbergerto rotate logfiles automatically. 7095cc27f0SJoerg Sonnenberger.Dv SIGALRM 7195cc27f0SJoerg Sonnenbergercauses 7295cc27f0SJoerg Sonnenberger.Nm 7395cc27f0SJoerg Sonnenbergerto flush the current logfile buffers to the disk, thus making the most 7495cc27f0SJoerg Sonnenbergerrecent logs available. 7595cc27f0SJoerg SonnenbergerThe buffers are also flushed every 7695cc27f0SJoerg Sonnenberger.Ar delay 7795cc27f0SJoerg Sonnenbergerseconds. 7895cc27f0SJoerg Sonnenberger.Pp 7995cc27f0SJoerg SonnenbergerIf the log file contains data after a restart or a 8095cc27f0SJoerg Sonnenberger.Dv SIGHUP , 8195cc27f0SJoerg Sonnenbergernew logs are appended to the existing file. 8295cc27f0SJoerg SonnenbergerIf the existing log file was created with a different snaplen, 8395cc27f0SJoerg Sonnenberger.Nm 8495cc27f0SJoerg Sonnenbergertemporarily uses the old snaplen to keep the log file consistent. 8595cc27f0SJoerg Sonnenberger.Pp 8695cc27f0SJoerg Sonnenberger.Nm 8795cc27f0SJoerg Sonnenbergertries to preserve the integrity of the log file against I/O errors. 8895cc27f0SJoerg SonnenbergerFurthermore, integrity of an existing log file is verified before 8995cc27f0SJoerg Sonnenbergerappending. 90c929e0dfSJan LentferIf there is an invalid log file or an I/O error, the log file is moved 91c929e0dfSJan Lentferout of the way and a new one is created. 92c929e0dfSJan LentferIf a new file cannot be created, logging is suspended until a 9395cc27f0SJoerg Sonnenberger.Dv SIGHUP 9495cc27f0SJoerg Sonnenbergeror a 9595cc27f0SJoerg Sonnenberger.Dv SIGALRM 9695cc27f0SJoerg Sonnenbergeris received. 9795cc27f0SJoerg Sonnenberger.Pp 9895cc27f0SJoerg SonnenbergerThe options are as follows: 9995cc27f0SJoerg Sonnenberger.Bl -tag -width Ds 10095cc27f0SJoerg Sonnenberger.It Fl D 10195cc27f0SJoerg SonnenbergerDebugging mode. 10295cc27f0SJoerg Sonnenberger.Nm 10395cc27f0SJoerg Sonnenbergerdoes not disassociate from the controlling terminal. 10495cc27f0SJoerg Sonnenberger.It Fl d Ar delay 10595cc27f0SJoerg SonnenbergerTime in seconds to delay between automatic flushes of the file. 10695cc27f0SJoerg SonnenbergerThis may be specified with a value between 5 and 3600 seconds. 10795cc27f0SJoerg SonnenbergerIf not specified, the default is 60 seconds. 10895cc27f0SJoerg Sonnenberger.It Fl f Ar filename 10995cc27f0SJoerg SonnenbergerLog output filename. 11095cc27f0SJoerg SonnenbergerDefault is 11195cc27f0SJoerg Sonnenberger.Pa /var/log/pflog . 112c929e0dfSJan Lentfer.It Fl i Ar interface 113c929e0dfSJan LentferSpecifies the 114c929e0dfSJan Lentfer.Xr pflog 4 115c929e0dfSJan Lentferinterface to use. 116c929e0dfSJan LentferBy default, 117c929e0dfSJan Lentfer.Nm 118c929e0dfSJan Lentferwill use 119c929e0dfSJan Lentfer.Ar pflog0 . 120315a7da3SJan Lentfer.It Fl p Ar pidfile 121315a7da3SJan LentferWrites a file containing the process ID of the program. 122315a7da3SJan LentferThe file name has the form 123315a7da3SJan Lentfer.Pa /var/run/pidname.pid . 124315a7da3SJan LentferIf the option is not given, 125315a7da3SJan Lentfer.Ar pidfile 126315a7da3SJan Lentferdefaults to 127315a7da3SJan Lentfer.Pa pflogd . 12895cc27f0SJoerg Sonnenberger.It Fl s Ar snaplen 12995cc27f0SJoerg SonnenbergerAnalyze at most the first 13095cc27f0SJoerg Sonnenberger.Ar snaplen 131c929e0dfSJan Lentferbytes of data from each packet rather than the default of 116. 132c929e0dfSJan LentferThe default of 116 is adequate for IP, ICMP, TCP, and UDP headers but may 13395cc27f0SJoerg Sonnenbergertruncate protocol information for other protocols. 13495cc27f0SJoerg SonnenbergerOther file parsers may desire a higher snaplen. 13595cc27f0SJoerg Sonnenberger.It Fl x 13695cc27f0SJoerg SonnenbergerCheck the integrity of an existing log file, and return. 13795cc27f0SJoerg Sonnenberger.It Ar expression 13895cc27f0SJoerg SonnenbergerSelects which packets will be dumped, using the regular language of 139b958492bSSascha Wildner.Xr tcpdump 1 . 14095cc27f0SJoerg Sonnenberger.El 14195cc27f0SJoerg Sonnenberger.Sh FILES 14295cc27f0SJoerg Sonnenberger.Bl -tag -width /var/run/pflogd.pid -compact 14395cc27f0SJoerg Sonnenberger.It Pa /var/run/pflogd.pid 14495cc27f0SJoerg SonnenbergerProcess ID of the currently running 14595cc27f0SJoerg Sonnenberger.Nm . 14695cc27f0SJoerg Sonnenberger.It Pa /var/log/pflog 14795cc27f0SJoerg SonnenbergerDefault log file. 14895cc27f0SJoerg Sonnenberger.El 14995cc27f0SJoerg Sonnenberger.Sh EXAMPLES 15095cc27f0SJoerg SonnenbergerLog specific tcp packets to a different log file with a large snaplen 15195cc27f0SJoerg Sonnenberger(useful with a log-all rule to dump complete sessions): 15295cc27f0SJoerg Sonnenberger.Bd -literal -offset indent 15395cc27f0SJoerg Sonnenberger# pflogd -s 1600 -f suspicious.log port 80 and host evilhost 15495cc27f0SJoerg Sonnenberger.Ed 15595cc27f0SJoerg Sonnenberger.Pp 156c929e0dfSJan LentferLog from another 157c929e0dfSJan Lentfer.Xr pflog 4 158c929e0dfSJan Lentferinterface, excluding specific packets: 159c929e0dfSJan Lentfer.Bd -literal -offset indent 160c929e0dfSJan Lentfer# pflogd -i pflog3 -f network3.log "not (tcp and port 23)" 161c929e0dfSJan Lentfer.Ed 162c929e0dfSJan Lentfer.Pp 16395cc27f0SJoerg SonnenbergerDisplay binary logs: 16495cc27f0SJoerg Sonnenberger.Bd -literal -offset indent 16595cc27f0SJoerg Sonnenberger# tcpdump -n -e -ttt -r /var/log/pflog 16695cc27f0SJoerg Sonnenberger.Ed 16795cc27f0SJoerg Sonnenberger.Pp 16895cc27f0SJoerg SonnenbergerDisplay the logs in real time (this does not interfere with the 16995cc27f0SJoerg Sonnenbergeroperation of 17095cc27f0SJoerg Sonnenberger.Nm ) : 17195cc27f0SJoerg Sonnenberger.Bd -literal -offset indent 17295cc27f0SJoerg Sonnenberger# tcpdump -n -e -ttt -i pflog0 17395cc27f0SJoerg Sonnenberger.Ed 17495cc27f0SJoerg Sonnenberger.Pp 17595cc27f0SJoerg SonnenbergerTcpdump has been extended to be able to filter on the pfloghdr 17695cc27f0SJoerg Sonnenbergerstructure defined in 17744cb301eSSascha Wildner.In net/pf/if_pflog.h . 17895cc27f0SJoerg SonnenbergerTcpdump can restrict the output 17995cc27f0SJoerg Sonnenbergerto packets logged on a specified interface, a rule number, a reason, 18095cc27f0SJoerg Sonnenbergera direction, an IP family or an action. 18195cc27f0SJoerg Sonnenberger.Pp 182c929e0dfSJan Lentfer.Bl -tag -width "ruleset authpf " -compact 18395cc27f0SJoerg Sonnenberger.It ip 18495cc27f0SJoerg SonnenbergerAddress family equals IPv4. 18595cc27f0SJoerg Sonnenberger.It ip6 18695cc27f0SJoerg SonnenbergerAddress family equals IPv6. 18795cc27f0SJoerg Sonnenberger.It ifname kue0 18895cc27f0SJoerg SonnenbergerInterface name equals "kue0". 18995cc27f0SJoerg Sonnenberger.It on kue0 19095cc27f0SJoerg SonnenbergerInterface name equals "kue0". 191c929e0dfSJan Lentfer.It ruleset authpf 192c929e0dfSJan LentferRuleset name equals "authpf". 19395cc27f0SJoerg Sonnenberger.It rulenum 10 19495cc27f0SJoerg SonnenbergerRule number equals 10. 19595cc27f0SJoerg Sonnenberger.It reason match 19695cc27f0SJoerg SonnenbergerReason equals match. 197c929e0dfSJan LentferAlso accepts "bad-offset", "fragment", "bad-timestamp", "short", 198c929e0dfSJan Lentfer"normalize", "memory", "congestion", "ip-option", "proto-cksum", 199c929e0dfSJan Lentfer"state-mismatch", "state-insert", "state-limit", "src-limit", 200c929e0dfSJan Lentferand "synproxy". 20195cc27f0SJoerg Sonnenberger.It action pass 20295cc27f0SJoerg SonnenbergerAction equals pass. 20395cc27f0SJoerg SonnenbergerAlso accepts "block". 20495cc27f0SJoerg Sonnenberger.It inbound 20595cc27f0SJoerg SonnenbergerThe direction was inbound. 20695cc27f0SJoerg Sonnenberger.It outbound 20795cc27f0SJoerg SonnenbergerThe direction was outbound. 20895cc27f0SJoerg Sonnenberger.El 20995cc27f0SJoerg Sonnenberger.Pp 21095cc27f0SJoerg SonnenbergerDisplay the logs in real time of inbound packets that were blocked on 21195cc27f0SJoerg Sonnenbergerthe wi0 interface: 21295cc27f0SJoerg Sonnenberger.Bd -literal -offset indent 21395cc27f0SJoerg Sonnenberger# tcpdump -n -e -ttt -i pflog0 inbound and action block and on wi0 21495cc27f0SJoerg Sonnenberger.Ed 21595cc27f0SJoerg Sonnenberger.Sh SEE ALSO 2165ab89169SSascha Wildner.Xr tcpdump 1 , 21795cc27f0SJoerg Sonnenberger.Xr pcap 3 , 21895cc27f0SJoerg Sonnenberger.Xr pf 4 , 21995cc27f0SJoerg Sonnenberger.Xr pflog 4 , 22095cc27f0SJoerg Sonnenberger.Xr pf.conf 5 , 2215ab89169SSascha Wildner.Xr newsyslog 8 22295cc27f0SJoerg Sonnenberger.Sh HISTORY 22395cc27f0SJoerg SonnenbergerThe 22495cc27f0SJoerg Sonnenberger.Nm 22595cc27f0SJoerg Sonnenbergercommand appeared in 22695cc27f0SJoerg Sonnenberger.Ox 3.0 . 22795cc27f0SJoerg Sonnenberger.Sh AUTHORS 228c929e0dfSJan Lentfer.Nm 229c929e0dfSJan Lentferwas written by 230*e65bc1c3SFranco Fichtner.An Can Erkin Acar Aq Mt canacar@openbsd.org . 231