System Administration Guide: IP Services
Previous Next

Working With Log Files for Solaris IP Filter

Table 26-5 Working With Solaris IP Filter Log Files (Task Map)

Task

Description

For Instructions

Create a log file.

Create a separate Solaris IP filter log file.

How to Set Up a Log File for Solaris IP Filter

View log files.

View state, NAT, and normal log files using the ipmon command.

How to View Solaris IP Filter Log Files

Flush the packet log buffer.

Remove the contents of the packet log buffer using the ipmon -F command.

How to Flush the Packet Log File

Save logged packets to a file.

Save logged packets to a file for later reference.

How to Save Logged Packets to a File

How to Set Up a Log File for Solaris IP Filter

By default, all log information for Solaris IP Filter is recorded in the syslogd file. You should set up a log file to record Solaris IP Filter traffic information separately from other data that might be logged in the default log file. Perform the following steps.

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Edit the /etc/syslog.conf file by adding the following two lines:
    # Save IPFilter log output to its own file 
    local0.debug             /var/log/log-name

    Note - On the second line, make sure to use the Tab key, not the Spacebar, to separate local0.debug from /var/log/log-name.


  3. Create the new log file.
    # touch /var/log/log-name
  4. Restart the system-log service.
    # svcadm restart system-log
Example 26-20 Creating a Solaris IP Filter Log

The following example shows how to create ipmon.log to archive IP filter information.

In /etc/syslog.conf:

# Save IPFilter log output to its own file 
local0.debug             /var/log/ipmon.log

At the command line:

# touch /var/log/ipmon.log
# svcadm restart system-log

How to View Solaris IP Filter Log Files

Before You Begin

You should create a separate log file to record Solaris IP Filter data. Refer to How to Set Up a Log File for Solaris IP Filter.

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. View the state, NAT, or normal log files. To view a log file, type the following command, using the appropriate option:
    # ipmon -o [S|N|I] filename
    S

    Displays the state log file.

    N

    Displays the NAT log file.

    I

    Displays the normal IP log file.

    To view all state, NAT, and normal log files, use all the options:

    # ipmon -o SNI filename
    • Provided that you have manually stopped the ipmon daemon first, you can also use the following command to display state, NAT, and Solaris IP filter log files:
      # ipmon -a filename

      Note - Do not use the ipmon -a syntax if the ipmon daemon is still running. Normally, the daemon is automatically started during system boot. Issuing the ipmon -a command also opens another copy of ipmon. In such a case, both copies read the same log information, and only one gets a particular log message.


    For more information about viewing log files, see the ipmon(1M) man page.

Example 26-21 Viewing Solaris IP Filter Log Files

The following example shows the output from /var/ipmon.log.

# ipmon -o SNI /var/ipmon.log
02/09/2004 15:27:20.606626 hme0 @0:1 p 129.146.157.149 -> 
129.146.157.145 PR icmp len 20 84 icmp echo/0 IN

or

# pkill ipmon
# ipmon -aD /var/ipmon.log
02/09/2004 15:27:20.606626 hme0 @0:1 p 129.146.157.149 -> 
129.146.157.145 PR icmp len 20 84 icmp echo/0 IN

How to Flush the Packet Log File

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Flush the pack log buffer.
    # ipmon -F
Example 26-22 Flushing the Packet Log File

The following example shows the output when a log file is removed. The system provides a report even when there is nothing stored in the log file, as in this example.

# ipmon -F
0 bytes flushed from log buffer
0 bytes flushed from log buffer
0 bytes flushed from log buffer

How to Save Logged Packets to a File

  1. Assume a role that includes the IP Filter Management rights profile, or become superuser.

    You can assign the IP Filter Management rights profile to a role that you create. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Save the logged packets to a file.
    # cat /dev/ipl > filename

    Continue logging packets to the filename file until you interrupt the procedure by typing Control-C to get the command line prompt back.

Example 26-23 Saving Logged Packets to a File

The following example shows the result when logged packets are saved to a file.

# cat /dev/ipl > /tmp/logfile
^C#

# ipmon -f /tmp/logfile
02/09/2004 15:30:28.708294 hme0 @0:1 p 129.146.157.149,33923 -> 
  129.146.157.145,23 PR tcp len 20 52 -S IN
02/09/2004 15:30:28.708708 hme0 @0:1 p 129.146.157.149,33923 -> 
  129.146.157.145,23 PR tcp len 20 40 -A IN
02/09/2004 15:30:28.792611 hme0 @0:1 p 129.146.157.149,33923 -> 
  129.146.157.145,23 PR tcp len 20 70 -AP IN
02/09/2004 15:30:28.872000 hme0 @0:1 p 129.146.157.149,33923 -> 
 129.146.157.145,23 PR tcp len 20 40 -A IN
02/09/2004 15:30:28.872142 hme0 @0:1 p 129.146.157.149,33923 -> 
  129.146.157.145,23 PR tcp len 20 43 -AP IN
02/09/2004 15:30:28.872808 hme0 @0:1 p 129.146.157.149,33923 -> 
  129.146.157.145,23 PR tcp len 20 40 -A IN
02/09/2004 15:30:28.872951 hme0 @0:1 p 129.146.157.149,33923 -> 
  129.146.157.145,23 PR tcp len 20 47 -AP IN
02/09/2004 15:30:28.926792 hme0 @0:1 p 129.146.157.149,33923 -> 
  129.146.157.145,23 PR tcp len 20 40 -A IN 
.
.
(output truncated)
Previous Next