HP-UX IPFilter Version 17 Administrator's Guide

9.3 Logging IPFilter Packets

This section describes how to use the log keyword in IPFilter rules to configure logging and

how to use the ipmon utility to view IPFilter log records

9.3.1 Using the log keyword to Configure IPFilter Logging

To configure logging, specify the log keyword in an IPFilter rule after the in or out keyword,

as described in “log: Logging Packets” (page 31). The log keyword directs IPFilter to log packets

matching the rule to the IPFilter logging device, /dev/ipl. To view log entries, use the ipmon

utility as described in “Using ipmon to View IPFilter Log Entries” (page 90) . You can use the

ipmon -s command to send the output from /dev/ipl to syslog.

IPFilter supports the following options with the log keyword to refine the log entries:

• level

• first

• body

9.3.1.1 level log-level

You can control the level of logging IPFilter does by specifying the level log-level option

with the log keyword in a rule.

The syntax for level is:

log level facility.priority | priority

The valid values for facility are:

mailuserkern

syslogauthdaemon

uucpnewslpr

authprivftpcron

local0logalertaudit

local3local2local1

local6local5local4

local7

The valid values for priority are:

critalertemerg

noticewarnerr

debuginfo

Example:

block in log level auth.info quick on lan0 from 20.20.20.0/24 to any

block in log level auth.alert quick on lan0 proto tcp from any to 20.20.20.0/24 port = 21

9.3.1.2 first

You can use the first option with the log keyword to log only the first instance of a certain

type of packet. For example, it might not be important to log 500 attempts to probe your telnet

port from one source. It is a good idea to log the first attempt, however.

88 Troubleshooting HP-UX IPFilter