Working With Log Files for Solaris IP Filter
Table 26-5 Working With Solaris IP Filter Log Files (Task Map)
How to Set Up a Log File for Solaris IP Filter
By default, all log information for Solaris IP Filter is recorded in the
syslogd file. You should set up a log file to record Solaris IP
Filter traffic information separately from other data that might be logged in the
default log file. Perform the following steps.
- Assume a role that includes the IP Filter Management rights profile, or become
superuser.
You can assign the IP Filter Management rights profile to a role that
you create. To create the role and assign the role to a user,
see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
- Edit the /etc/syslog.conf file by adding the following two lines:
# Save IPFilter log output to its own file
local0.debug /var/log/log-name
Note - On the second line, make sure to use the Tab key, not
the Spacebar, to separate local0.debug from /var/log/log-name.
- Create the new log file.
# touch /var/log/log-name
- Restart the system-log service.
# svcadm restart system-log
Example 26-20 Creating a Solaris IP Filter Log
The following example shows how to create ipmon.log to archive IP filter information.
In /etc/syslog.conf:
# Save IPFilter log output to its own file
local0.debug /var/log/ipmon.log
At the command line:
# touch /var/log/ipmon.log
# svcadm restart system-log
How to View Solaris IP Filter Log Files
Before You Begin
You should create a separate log file to record Solaris IP Filter
data. Refer to How to Set Up a Log File for Solaris IP Filter.
- Assume a role that includes the IP Filter Management rights profile, or become
superuser.
You can assign the IP Filter Management rights profile to a role that
you create. To create the role and assign the role to a user,
see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
- View the state, NAT, or normal log files. To view a log
file, type the following command, using the appropriate option:
# ipmon -o [S|N|I] filename
- S
Displays the state log file.
- N
Displays the NAT log file.
- I
Displays the normal IP log file.
To view all state, NAT, and normal log files, use all the
options:
# ipmon -o SNI filename
- Provided that you have manually stopped the ipmon daemon first, you can also
use the following command to display state, NAT, and Solaris IP filter log
files:
# ipmon -a filename
Note - Do not use the ipmon -a syntax if the ipmon daemon is still running.
Normally, the daemon is automatically started during system boot. Issuing the ipmon -a command
also opens another copy of ipmon. In such a case, both copies read
the same log information, and only one gets a particular log message.
For more information about viewing log files, see the ipmon(1M) man page.
Example 26-21 Viewing Solaris IP Filter Log Files
The following example shows the output from /var/ipmon.log.
# ipmon -o SNI /var/ipmon.log
02/09/2004 15:27:20.606626 hme0 @0:1 p 129.146.157.149 ->
129.146.157.145 PR icmp len 20 84 icmp echo/0 IN
or
# pkill ipmon
# ipmon -aD /var/ipmon.log
02/09/2004 15:27:20.606626 hme0 @0:1 p 129.146.157.149 ->
129.146.157.145 PR icmp len 20 84 icmp echo/0 IN
How to Flush the Packet Log File
- Assume a role that includes the IP Filter Management rights profile, or become
superuser.
You can assign the IP Filter Management rights profile to a role that
you create. To create the role and assign the role to a user,
see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
- Flush the pack log buffer.
# ipmon -F
Example 26-22 Flushing the Packet Log File
The following example shows the output when a log file is removed.
The system provides a report even when there is nothing stored in the
log file, as in this example.
# ipmon -F
0 bytes flushed from log buffer
0 bytes flushed from log buffer
0 bytes flushed from log buffer
How to Save Logged Packets to a File
- Assume a role that includes the IP Filter Management rights profile, or become
superuser.
You can assign the IP Filter Management rights profile to a role that
you create. To create the role and assign the role to a user,
see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
- Save the logged packets to a file.
# cat /dev/ipl > filename
Continue logging packets to the filename file until you interrupt the procedure by
typing Control-C to get the command line prompt back.
Example 26-23 Saving Logged Packets to a File
The following example shows the result when logged packets are saved to a
file.
# cat /dev/ipl > /tmp/logfile
^C#
# ipmon -f /tmp/logfile
02/09/2004 15:30:28.708294 hme0 @0:1 p 129.146.157.149,33923 ->
129.146.157.145,23 PR tcp len 20 52 -S IN
02/09/2004 15:30:28.708708 hme0 @0:1 p 129.146.157.149,33923 ->
129.146.157.145,23 PR tcp len 20 40 -A IN
02/09/2004 15:30:28.792611 hme0 @0:1 p 129.146.157.149,33923 ->
129.146.157.145,23 PR tcp len 20 70 -AP IN
02/09/2004 15:30:28.872000 hme0 @0:1 p 129.146.157.149,33923 ->
129.146.157.145,23 PR tcp len 20 40 -A IN
02/09/2004 15:30:28.872142 hme0 @0:1 p 129.146.157.149,33923 ->
129.146.157.145,23 PR tcp len 20 43 -AP IN
02/09/2004 15:30:28.872808 hme0 @0:1 p 129.146.157.149,33923 ->
129.146.157.145,23 PR tcp len 20 40 -A IN
02/09/2004 15:30:28.872951 hme0 @0:1 p 129.146.157.149,33923 ->
129.146.157.145,23 PR tcp len 20 47 -AP IN
02/09/2004 15:30:28.926792 hme0 @0:1 p 129.146.157.149,33923 ->
129.146.157.145,23 PR tcp len 20 40 -A IN
.
.
(output truncated)
