Managing Advanced PF Logs
Pages: 1, 2

Here is a short summary of what this script does:

• Section 1: Imports standard Perl modules used for non-blocking I/O, and defines the $rdelay variable used to define the delay between two consecutive pflog archiving operations; the delay is measured in seconds. One hour is 3600 seconds; be careful not to set this delay too low (below 15 seconds) -- the system may not be able to archive logs in such a short time. Also, avoid setting this variable to 0, as it will switch archiving off.
• Section 2: Checks if the PID file exists and if it does, exits. You can check if readpflog is already running with ps -auxw | grep readpflog; if it is running, you will need to kill it. If it isn't, delete /home/scooter/readpf.pid and run readpflog again.
• Section 3: Opens the /home/scooter/readpflog.log file to store messages generated by the script itself. The log file is located in the /home/scooter directory, but you can change that to another location.
• Section 4: Defines the logme() function, which writes properly-formatted logs to /home/scooter/readpflog.log.
• Section 5: Defines the loganddie() function, which logs fatal errors, closes files, and removes the /home/scooter/sendpflog.pid PID file.
• Section 6: Defines the rotatelogs() function, which closes and opens /home/scooter/readpflog.log after receiving the SIGHUP signal from newsyslog.
• Section 7: Lets the world know the script is getting ready for work.
• Section 8: Writes the PID number of the current process to /home/scooter/readpflog.pid. This file will be used by newsyslog to send the SIGHUP signal.
• Section 9: Defines the opensource() function, which opens /home/scooter/pflog for reading.
• Section 10: Defines the opentarget() function, which opens /home/scooter/pflog-current for writing; this file is rotated and archived at regular intervals, defined in $rdelay.
• Section 11: Defines the rotatetarget() function, which rotates /home/scooter/pflog-current; every new archive is compressed with gzip and has a name that begins with pflog- and ends with a date and time string, e.g. "pflog-2002-07-30-23-53-03.gz."
• Section 12: Defines the openpipe() function, which opens /home/scooter/pflog-pipe fifo pipe for writing; this pipe can be read by tcpdump or other pflog analysis software.
• Section 13: Configures signal handlers to catch most important signals.
• Section 14: Opens input and output files.
• Section 15: Enters the main loop, reads /home/scooter/pflog, and sends it to the dump file (/home/scooter/pflog-current) and the fifo pipe (/home/scooter/pflog-pipe).

Log in as the user scooter (or whatever username you used for the user receiving logs), copy the script, and save it as readpflog. Now we need to make readpflog executable, and make it owned by scooter and a member of the scooter group with these commands (you need to be logged in as scooter):

# chmod 0700 readpflog
# chown scooter readpflog
# chgrp scooter readpflog

The user and the group need to be created on the monitoring station, with minimal privileges.

Next, we need to create the /home/scooter/pflog-pipe fifo pipe:

$ mkfifo -m 0600 pflog-pipe

In the last step, we need to add the following line to /etc/newsyslog.conf:

/home/scooter/readpflog.log        600  3    250  *     ZB /home/scooter/pflogd.pid

(Note that newsyslog will only rotate readpflog.log files, not pflog-* files.)

You might want to set $rdelay to a lower value; say, 60 seconds. If everything is working fine, you should see a list of archives similar to this one:

-rw-r--r--  1 scooter  scooter   212558 Jul 30 23:50 pflog-2002-07-30-23-50-54.gz
-rw-r--r--  1 scooter  scooter       46 Jul 30 23:51 pflog-2002-07-30-23-51-14.gz
-rw-r--r--  1 scooter  scooter       46 Jul 30 23:51 pflog-2002-07-30-23-51-24.gz
-rw-r--r--  1 scooter  scooter       46 Jul 30 23:51 pflog-2002-07-30-23-52-03.gz
-rw-r--r--  1 scooter  scooter       46 Jul 30 23:52 pflog-2002-07-30-23-52-18.gz
-rw-r--r--  1 scooter  scooter       46 Jul 30 23:52 pflog-2002-07-30-23-52-33.gz
-rw-r--r--  1 scooter  scooter       46 Jul 30 23:52 pflog-2002-07-30-23-52-48.gz
-rw-r--r--  1 scooter  scooter     4510 Jul 30 23:52 pflog-2002-07-30-23-53-03.gz
prw-r--r--  1 scooter  scooter        0 Jul 30 23:52 pflog-pipe

Now change $rdelay to a higher value, and have fun. You will most probably want to write another script, or modify readpflog (you're free to make any changes you like within the scope of the terms of the XFree86 license) to write archives to tape, or other external storage devices.

As before, you can find the listing of the script from this issue in the OpenBSD Administrator Toolbox.

Until next time!

Jacek Artymiak started his adventure with computers in 1986 with Sinclair ZX Spectrum. He's been using various commercial and Open Source Unix systems since 1991. Today, Jacek runs devGuide.net, writes and teaches about Open Source software and security, and tries to make things happen.

---

Read more Securing Small Networks with OpenBSD columns.

Return to the BSD DevCenter.