|PFLOGD(8)||System Manager's Manual||PFLOGD(8)|
pflogdis a background daemon which reads packets logged by pf(4) to a pflog(4) interface, normally pflog0, and writes the packets to a logfile (normally /var/log/pflog) in tcpdump(8) binary format. These logs can be reviewed later using the
-roption of tcpdump(8), hopefully offline in case there are bugs in the packet parsing code of tcpdump(8).
pflogdcloses and then re-opens the log file when it receives
SIGHUP, permitting newsyslog(8) to rotate logfiles automatically.
pflogdto flush the current logfile buffers to the disk, thus making the most recent logs available. The buffers are also flushed every delay seconds. If the log file contains data after a restart or a
SIGHUP, new logs are appended to the existing file. If the existing log file was created with a different snaplen,
pflogdtemporarily uses the old snaplen to keep the log file consistent.
pflogdtries to preserve the integrity of the log file against I/O errors. Furthermore, integrity of an existing log file is verified before appending. If there is an invalid log file or an I/O error, the log file is moved out of the way and a new one is created. If a new file cannot be created, logging is suspended until a
SIGALRMis received. The options are as follows:
pflogddoes not disassociate from the controlling terminal.
pflogdwill use pflog0.
<net/if_pflog.h>. It can restrict the output to packets logged on a specified interface, a rule number, a reason, a direction, an IP family or an action.
# pflogd -s 1600 -f suspicious.log port 80 and host evilhost
# pflogd -i pflog3 -f network3.log "not (tcp and port 23)"
# tcpdump -n -e -ttt -r /var/log/pflog
# tcpdump -n -e -ttt -i pflog0
# tcpdump -n -e -ttt -i pflog0 inbound and action block and on wi0
pflogdcommand appeared in OpenBSD 3.0.
pflogdwas written by Can Erkin Acar <email@example.com>.
|January 16, 2016||OpenBSD-6.1|