Working With Log Files for IP Filter

Table 5-4 Working With IP Filter Log Files (Task Map)

Task	For Instructions
Create a separate IP Filter log file.	How to Set Up a Log File for IP Filter
View state, NAT, and normal log files.	How to View IP Filter Log Files
Flush the packet log buffer.	How to Flush the Packet Log Buffer
Save logged packets to a file for later reference.	How to Save Logged Packets to a File

How to Set Up a Log File for IP Filter

By default, all log information for IP Filter is recorded in the syslogd file. It is good practice to create a log file to record IP Filter traffic information separately from other data that might be logged in the default log file.

Before You Begin

You must assume the root role.

Determine which system-log service instance is online.

# svcs system-log
STATE          STIME    FMRI
disabled       13:11:55 svc:/system/system-log:rsyslog
online         13:13:27 svc:/system/system-log:default

Note - If the rsyslog service instance is online, modify the rsyslog.conf file.

Edit the /etc/syslog.conf file by adding the following two lines:
```
# Save IP Filter log output to its own file 
local0.debug             /var/log/log-name
```
Note - In your entry, use the Tab key, not the Spacebar, to separate local0.debug from /var/log/log-name. For more information, see the syslog.conf(4) and syslogd(1M) man pages.
Create the new log file.
```
# touch /var/log/log-name
```
Refresh the configuration information for the system-log service.
```
# svcadm refresh system-log:default
```
Note - Refresh the system-log:rsyslog service instance if the rsyslog service is online.

Example 5-16 Creating an IP Filter Log

The following example shows how to create ipmon.log to archive IP Filter information.

In /etc/syslog.conf:

## Save IP Filter log output to its own file 
local0.debug<Tab>/var/log/ipmon.log

At the command line:

# touch /var/log/ipmon.log
# svcadm restart system-log

How to View IP Filter Log Files

Before You Begin

You have completed How to Set Up a Log File for IP Filter.

You must become an administrator who is assigned the IP Filter Management rights profile. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.

View the state, NAT, or normal log files.
To view a log file, type the following command, using the appropriate option:
```
# ipmon -o [S|N|I] filename
```
S

Displays the state log file.

N

Displays the NAT log file.

I

Displays the normal IP log file.
- To view all state, NAT, and normal log files, use all the options:
```
# ipmon -o SNI filename
```
- After you stop the ipmon daemon, you can use the ipmon command to display state, NAT, and IP filter log files:
```
# pkill ipmon
# ipmon -a filename
```
  Note - Do not use the ipmon -a syntax if the ipmon daemon is still running. Normally, the daemon is automatically started during system boot. Issuing the ipmon -a command also opens another copy of ipmon. In such a case, both copies read the same log information, and only one gets a particular log message.
For more information about viewing log files, see the ipmon(1M) man page.

Example 5-17 Viewing IP Filter Log Files

The following example shows the output from /var/ipmon.log.

# ipmon -o SNI /var/ipmon.log
02/09/2012 15:27:20.606626 net0 @0:1 p 129.146.157.149 -> 
129.146.157.145 PR icmp len 20 84 icmp echo/0 IN

# pkill ipmon
# ipmon -aD /var/ipmon.log
02/09/2012 15:27:20.606626 net0 @0:1 p 129.146.157.149 -> 
129.146.157.145 PR icmp len 20 84 icmp echo/0 IN

How to Flush the Packet Log Buffer

This procedure clears the buffer and displays the output on the screen.

Before You Begin

Flush the packet log buffer.
```
# ipmon -F
```

Example 5-18 Flushing the Packet Log Buffer

The following example shows the output when a log file is removed. The system provides a report even when there is nothing stored in the log file, as in this example.

# ipmon -F
0 bytes flushed from log buffer
0 bytes flushed from log buffer
0 bytes flushed from log buffer

How to Save Logged Packets to a File

You can save packets to a file during debugging, or when you want to audit the traffic manually.

Before You Begin

You must assume the root role.

Save the logged packets to a file.
```
# cat /dev/ipl > filename
```
Continue logging packets to the filename file until you interrupt the procedure by typing Control-C to get the command line prompt back.

Example 5-19 Saving Logged Packets to a File

The following example shows the result when logged packets are saved to a file.

# cat /dev/ipl > /tmp/logfile
^C#

# ipmon -f /tmp/logfile
02/09/2012 15:30:28.708294 net0 @0:1 p 129.146.157.149,33923 -> 
  129.146.157.145,23 PR tcp len 20 52 -S IN
02/09/2012 15:30:28.708708 net0 @0:1 p 129.146.157.149,33923 -> 
  129.146.157.145,23 PR tcp len 20 40 -A IN
02/09/2012 15:30:28.792611 net0 @0:1 p 129.146.157.149,33923 -> 
  129.146.157.145,23 PR tcp len 20 70 -AP IN
02/09/2012 15:30:28.872000 net0 @0:1 p 129.146.157.149,33923 -> 
 129.146.157.145,23 PR tcp len 20 40 -A IN
02/09/2012 15:30:28.872142 net0 @0:1 p 129.146.157.149,33923 -> 
  129.146.157.145,23 PR tcp len 20 43 -AP IN
02/09/2012 15:30:28.872808 net0 @0:1 p 129.146.157.149,33923 -> 
  129.146.157.145,23 PR tcp len 20 40 -A IN
02/09/2012 15:30:28.872951 net0 @0:1 p 129.146.157.149,33923 -> 
  129.146.157.145,23 PR tcp len 20 47 -AP IN
02/09/2012 15:30:28.926792 net0 @0:1 p 129.146.157.149,33923 -> 
  129.146.157.145,23 PR tcp len 20 40 -A IN 
.
.
(output truncated)

Skip Navigation Links
Exit Print View
	Securing the Network in Oracle Solaris 11.1 Oracle Solaris 11.1 Information Library