diff options
Diffstat (limited to 'contrib/pf/pflogd/pflogd.8')
| -rw-r--r-- | contrib/pf/pflogd/pflogd.8 | 43 |
1 files changed, 28 insertions, 15 deletions
diff --git a/contrib/pf/pflogd/pflogd.8 b/contrib/pf/pflogd/pflogd.8 index ab63259..ac8fe78 100644 --- a/contrib/pf/pflogd/pflogd.8 +++ b/contrib/pf/pflogd/pflogd.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pflogd.8,v 1.22 2003/06/03 13:16:08 jmc Exp $ +.\" $OpenBSD: pflogd.8,v 1.24 2004/01/16 10:45:49 jmc Exp $ .\" .\" Copyright (c) 2001 Can Erkin Acar. All rights reserved. .\" @@ -32,7 +32,7 @@ .Nd packet filter logging daemon .Sh SYNOPSIS .Nm pflogd -.Op Fl D +.Op Fl Dx .Op Fl d Ar delay .Op Fl f Ar filename .Op Fl s Ar snaplen @@ -57,11 +57,11 @@ hopefully offline in case there are bugs in the packet parsing code of .Pp .Nm closes and then re-opens the log file when it receives -.Va SIGHUP , +.Dv SIGHUP , permitting .Xr newsyslog 8 to rotate logfiles automatically. -.Va SIGALRM +.Dv SIGALRM causes .Nm to flush the current logfile buffers to the disk, thus making the most @@ -71,22 +71,32 @@ The buffers are also flushed every seconds. .Pp If the log file contains data after a restart or a -.Va SIGHUP , +.Dv SIGHUP , new logs are appended to the existing file. If the existing log file was created with a different snaplen, .Nm temporarily uses the old snaplen to keep the log file consistent. .Pp +.Nm +tries to preserve the integrity of the log file against I/O errors. +Furthermore, integrity of an existing log file is verified before +appending. +If there is an invalid log file or an I/O error, logging is suspended until a +.Dv SIGHUP +or a +.Dv SIGALRM +is received. +.Pp The options are as follows: .Bl -tag -width Ds -.It Fl d Ar delay -Time in seconds to delay between automatic flushes of the file. -This may be specified with a value between 5 and 3600 seconds. -If not specified, the default is 60 seconds. .It Fl D Debugging mode. .Nm does not disassociate from the controlling terminal. +.It Fl d Ar delay +Time in seconds to delay between automatic flushes of the file. +This may be specified with a value between 5 and 3600 seconds. +If not specified, the default is 60 seconds. .It Fl f Ar filename Log output filename. Default is @@ -98,6 +108,8 @@ bytes of data from each packet rather than the default of 96. The default of 96 is adequate for IP, ICMP, TCP, and UDP headers but may truncate protocol information for other protocols. Other file parsers may desire a higher snaplen. +.It Fl x +Check the integrity of an existing log file, and return. .It Ar expression Selects which packets will be dumped, using the regular language of .Xr tcpdump 8 . @@ -106,13 +118,13 @@ Selects which packets will be dumped, using the regular language of .Bl -tag -width /var/run/pflogd.pid -compact .It Pa /var/run/pflogd.pid Process ID of the currently running -.Nm pflogd . +.Nm . .It Pa /var/log/pflog Default log file. .El .Sh EXAMPLES Log specific tcp packets to a different log file with a large snaplen -(useful with a log-all rule to dump complete sessions) +(useful with a log-all rule to dump complete sessions): .Bd -literal -offset indent # pflogd -s 1600 -f suspicious.log port 80 and host evilhost .Ed @@ -123,7 +135,8 @@ Display binary logs: .Ed .Pp Display the logs in real time (this does not interfere with the -operation of pflogd): +operation of +.Nm ) : .Bd -literal -offset indent # tcpdump -n -e -ttt -i pflog0 .Ed @@ -133,7 +146,7 @@ structure defined in .Aq Ar net/if_pflog.h . Tcpdump can restrict the output to packets logged on a specified interface, a rule number, a reason, -a direction, an ip family or an action. +a direction, an IP family or an action. .Pp .Bl -tag -width "reason match " -compact .It ip @@ -141,9 +154,9 @@ Address family equals IPv4. .It ip6 Address family equals IPv6. .It ifname kue0 -Interface name equals "kue0" +Interface name equals "kue0". .It on kue0 -Interface name equals "kue0" +Interface name equals "kue0". .It rulenum 10 Rule number equals 10. .It reason match |
