ipfw.log file

[jbc]

Trying my hand at configuring ipfw for the first time. Very cool. But the logging is...umm...odd.

Have a whole truckload of empty archived ipfw.log files in /var/log/, but ipfw wants to write to system.log. After rummaging through the MOSXH forums on the subject, I've pretty much decided there's no way in hell to get ipfw to write to ipfw.log without writing other kernel messages to the file as well. Seems to need something around kernel.alert level in syslog.conf.

So what's the story with this? Why is the system making ipfw.log files if nothing is ever written to them? Has anyone figured out how to actually use this file as an ipfw log?

Brad

[jbc]

Curiouser and curiouser. Found a method for routing ipfw messages to the ipfw.log file on a FreeBSD site from the *last* page of a Google search. Odd thing is, this method doesn't seem to be documented in the syslog.conf manpage, so I have no idea what it's doing or why it works.

Code:

# Add these two lines to the end of your syslog.conf file

!ipfw
*.*				/var/log/ipfw.log

This causes the ipfw output to be written to ipfw.log, but it also still appears in system.log.

Does anyone know what the syntax of these lines means or how I can eliminate the entries from system.log in the process of writing the ipfw.log?

[jbc]

From the FreeBSD syslog.conf manpage:

Quote: Each block of lines is separated from the previous block by a program or hostname specification. A block will only log messages corresponding to the most recent program and hostname specifications given. Thus, with a block which selects `ppp' as the program, directly followed by a block that selects messages from the hostname `dialhost', the second block will only log messages from the ppp(8) program on dialhost. A program specification is a line beginning with `#!prog' or `!prog' (the former is for compatibility with the previous syslogd, if one is sharing syslog.conf files, for example) and the following blocks will be associ- ated with calls to syslog(3) from that specific program. A program spec- ification for `foo' will also match any message logged by the kernel with the prefix `foo: '. The `#!+prog' or `!+prog' specification works just like the previous one, and the `#!-prog' or `!-prog' specification will match any message but the ones from that program. Multiple programs may be listed, separated by commas: `!prog1,prog2' matches messages from either program, while `!-prog1,prog2' matches all messages but those from `prog1' or `prog2'. A hostname specification of the form `#+hostname' or `+hostname' means the following blocks will be applied to messages received from the speci- fied hostname. Alternatively, the hostname specification `#-hostname' or `-hostname' causes the following blocks to be applied to messages from any host but the one specified. If the hostname is given as `@', the local hostname will be used. As for program specifications, multiple comma-seprarated values may be specified for hostname specifications. A program or hostname specification may be reset by giving the program or hostname as `*'.

I'd guess that OS X supports this, but somehow it was dropped from the manpage. Off to check it out...

[jbc]

Yessirree, Bob, another candidate for that Missing Manpages book.

To re-route ipfw messages excusively to ipfw.log:

Code:

#Add at beginning of sysconf.log file
#Excludes ipfw entries from other logs
!-ipfw

#Add at end of sysconf.log file
#Directs ipfw entries to ipfw.log
!ipfw
*.*                             /var/log/ipfw.log

Why do I always feel like an idiot when I answer my own posts? Oh, well...live and learn.

Brad