Securing Small Networks with OpenBSD, Part 5

by Jacek Artymiak
06/20/2002

Welcome back.

Today we are going to continue our adventures with pf logs. Last time I wrote about how to log on and read log files with tcpdump. I also mentioned how to filter packets using tcpdump expressions.

So, if all went well, you should have now a steady flow of packet data to plow through. OK, but how do you manage that flood of information? The answer to that is automation. Watching pf logs can be exciting for the first few hours, but it soon becomes a boring activity best left to the machines. But first we need to know how OpenBSD manages pf logs.

The Secret Life of Logs

The pf packet logging mechanism uses the standard system logger daemon syslogd to store packet information in /var/log/pflog. The /var/log directory is the place where the system stores most of the important system logs: authlog, daemon, maillog, messages, secure, or wtmp. One important group of logs missing from that directory are HTTP server logs, which are usually stored somewhere else in the directory tree.

Just like maillog or messages, pflog is rotated to make sure that the logs don't bring the system to its knees by filling the filesystem. Log rotation is the job of the newsyslog command that runs every hour by cron.

You can check this with crontab -l -u root, which should display the crontab entry for the user root (you need to be logged in as root, or the system won't let you do this). Somewhere at the top of the list you should see these lines:

# rotate log files every hour, if necessary
0 * * * * /usr/bin/newsyslog

When newsyslog is run it will check pflog size and, if necessary, rename it, create an empty pflog, and compress the old pflog using the gzip command. The name of the archived log begins with the original log filename and ends with the 0.gz suffix. So, pflog becomes pflog.0.gz and syslogd can begin filling up pflog again. The whole cycle repeats every hour, and when newsyslog decides that pflog is ready to be archived again, it will rename pflog.0.gz to pflog.1.gz and repeat the steps described earlier.

At any given point in time, your firewall will store up to four pflog archives. When a new archive is created, the archive with the highest number (pflog.3.gz) is overwritten with the younger archive, (pflog.2.gz). You can check the times when they were created in the following way:

# ls -l pflog*

-rw------- 1 root wheel 268582 May 27 11:37 pflog
-rw------- 1 root wheel 1993502 May 27 10:59 pflog.0.gz
-rw------- 1 root wheel 1220902 May 27 10:00 pflog.1.gz
-rw------- 1 root wheel 1625010 May 27 08:58 pflog.2.gz
-rw------- 1 root wheel 1334018 May 27 08:00 pflog.3.gz

On firewalls servicing busy networks, the best we can hope for is a four-hour snapshot of the traffic. If we want to extend that time, we have two choices: either modify the newsyslog entry in crontab, or edit the /etc/newsyslog.conf entry for pflog.

Pages: 1, 2

Next Page