Previous
Working With Log Files for Solaris IP Filter
Table 26-5 Working With Solaris IP Filter Log Files (Task Map)
Task | Description | For Instructions |
|---|---|---|
Create a log file. | Create a separate Solaris IP filter log file. | |
View log files. | View state, NAT, and normal log files using the ipmon command. | |
Flush the packet log buffer. | Remove the contents of the packet log buffer using the ipmon -F command. | |
Save logged packets to a file. | Save logged packets to a file for later reference. |
How to Set Up a Log File for Solaris IP Filter
By default, all log information for Solaris IP Filter is recorded in the syslogd file. You should set up a log file to record Solaris IP Filter traffic information separately from other data that might be logged in the default log file. Perform the following steps.
Assume a role that includes the IP Filter Management rights profile, or become superuser.
You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see "Configuring RBAC (Task Map)" in System Administration Guide: Security Services.
Edit the /etc/syslog.conf file by adding the following two lines:
# Save IPFilter log output to its own file local0.debug /var/log/log-name
Note - On the second line, make sure to use the Tab key, not the Spacebar, to separate local0.debug from /var/log/log-name.
Create the new log file.
# touch /var/log/log-name
Restart the system-log service.
# svcadm restart system-log
Example 26-20 Creating a Solaris IP Filter Log
The following example shows how to create ipmon.log to archive IP filter information.
In /etc/syslog.conf:
# Save IPFilter log output to its own file local0.debug /var/log/ipmon.log |
At the command line:
# touch /var/log/ipmon.log # svcadm restart system-log |
How to View Solaris IP Filter Log Files
Before You Begin
You should create a separate log file to record Solaris IP Filter data. Refer to How to Set Up a Log File for Solaris IP Filter.
Assume a role that includes the IP Filter Management rights profile, or become superuser.
You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see "Configuring RBAC (Task Map)" in System Administration Guide: Security Services.
View the state, NAT, or normal log files. To view a log file, type the following command, using the appropriate option:
# ipmon -o [S|N|I] filename
S
Displays the state log file.
N
Displays the NAT log file.
I
Displays the normal IP log file.
To view all state, NAT, and normal log files, use all the options:
# ipmon -o SNI filename
Provided that you have manually stopped the ipmon daemon first, you can also use the following command to display state, NAT, and Solaris IP filter log files:
# ipmon -a filename
Note - Do not use the ipmon -a syntax if the ipmon daemon is still running. Normally, the daemon is automatically started during system boot. Issuing the ipmon -a command also opens another copy of ipmon. In such a case, both copies read the same log information, and only one gets a particular log message.
For more information about viewing log files, see the ipmon(1M) man page.
Example 26-21 Viewing Solaris IP Filter Log Files
The following example shows the output from /var/ipmon.log.
# ipmon -o SNI /var/ipmon.log 02/09/2004 15:27:20.606626 hme0 @0:1 p 129.146.157.149 -> 129.146.157.145 PR icmp len 20 84 icmp echo/0 IN |
or
# pkill ipmon # ipmon -aD /var/ipmon.log 02/09/2004 15:27:20.606626 hme0 @0:1 p 129.146.157.149 -> 129.146.157.145 PR icmp len 20 84 icmp echo/0 IN |
How to Flush the Packet Log File
Assume a role that includes the IP Filter Management rights profile, or become superuser.
You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see "Configuring RBAC (Task Map)" in System Administration Guide: Security Services.
Flush the pack log buffer.
# ipmon -F
Example 26-22 Flushing the Packet Log File
The following example shows the output when a log file is removed. The system provides a report even when there is nothing stored in the log file, as in this example.
# ipmon -F 0 bytes flushed from log buffer 0 bytes flushed from log buffer 0 bytes flushed from log buffer |
How to Save Logged Packets to a File
Assume a role that includes the IP Filter Management rights profile, or become superuser.
You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see "Configuring RBAC (Task Map)" in System Administration Guide: Security Services.
Save the logged packets to a file.
# cat /dev/ipl > filename
Continue logging packets to the filename file until you interrupt the procedure by typing Control-C to get the command line prompt back.
Example 26-23 Saving Logged Packets to a File
The following example shows the result when logged packets are saved to a file.
# cat /dev/ipl > /tmp/logfile ^C# # ipmon -f /tmp/logfile 02/09/2004 15:30:28.708294 hme0 @0:1 p 129.146.157.149,33923 -> 129.146.157.145,23 PR tcp len 20 52 -S IN 02/09/2004 15:30:28.708708 hme0 @0:1 p 129.146.157.149,33923 -> 129.146.157.145,23 PR tcp len 20 40 -A IN 02/09/2004 15:30:28.792611 hme0 @0:1 p 129.146.157.149,33923 -> 129.146.157.145,23 PR tcp len 20 70 -AP IN 02/09/2004 15:30:28.872000 hme0 @0:1 p 129.146.157.149,33923 -> 129.146.157.145,23 PR tcp len 20 40 -A IN 02/09/2004 15:30:28.872142 hme0 @0:1 p 129.146.157.149,33923 -> 129.146.157.145,23 PR tcp len 20 43 -AP IN 02/09/2004 15:30:28.872808 hme0 @0:1 p 129.146.157.149,33923 -> 129.146.157.145,23 PR tcp len 20 40 -A IN 02/09/2004 15:30:28.872951 hme0 @0:1 p 129.146.157.149,33923 -> 129.146.157.145,23 PR tcp len 20 47 -AP IN 02/09/2004 15:30:28.926792 hme0 @0:1 p 129.146.157.149,33923 -> 129.146.157.145,23 PR tcp len 20 40 -A IN . . (output truncated) |