IP Filter FAQ

VI. IPMON

1. I have IPMon logging to syslog, but syslog doesn't log anything, why not?
2. I have IPMon logging to syslog, and I can't use ipmon -oI, why not?
3. When I start ipmon, it fails to start with an error.
4. I'm getting wierd ipmon log entries, why?
5. Can I make IPF log straight to a file instead of to syslog?

1. I have IPMon logging to syslog, but syslog doesn't log anything, why not?

   IPF logs as local0 so you'll want something to the effect of:
   local0.debug /var/log/ipf.log
in your syslog.conf. NOTE: There has to be atleast one TAB in that line, not just spaces.

2. I have IPMon logging to syslog, and I can't use ipmon -oI, why not?

   You can only use one of ipmon -oI and ipmon -s. Just do a tail -f filename where filename is whatever syslog logs ipf stuff to.

3. When I start ipmon, it fails to start with an error.

   Are you running *BSD or SunOS? Check your kernel configuration, make sure you have "options IPFILTER_LOG"

4. I'm getting wierd ipmon log entries, why?

   If you're seeing log entries like: Mar 22 13:45:45 gateway ipmon[94]: 13:45:44.302938 xl2 @0:1 S
Feb 20 17:29:47 gateway ipmon[94]: 17:29:47.377435 xl2 @19:10241 L
You've recently upgraded IP Filter on your FreeBSD system. FreeBSD installs ipmon in /sbin while IP Filter installs ipmon in /usr/sbin. Thus you are still using the old version of ipmon with your new version of IP Filter. Delete /sbin/ipmon.

5. Can I make IPF log straight to a file instead of to syslog?

   Sure! Instead of invoking ipmon with the -s option, just specify a filename:
   ipmon filename

   Plus any other options you want. Alternatively, if you want to use syslog, don't specify a filename, and use -s.