pflogr: remotely log pf
sourceforge page: http://sourceforge.net/projects/pflogr/
 SourceForge.net Logo

description:
pflogr's primary purpose is to get pf logs to a remote host quickly and reliably. packets are first queued on the firewall (in /var/pfqueue), then sent to a postgresql database. they are not removed from the queue unless the sql insert was successful. once they are in the database, they are decoded. i also threw in a bit of php (screenshot) to view them with.

i've successfully run pflogr on openbsd 3.2 and 3.3. i use ipsec between the firewall and the database server to secure that traffic.

howto:

presently, this assumes you are comfortable with managing your openbsd system, and postgresql. work in progress ;), comments are welcome. email me via sourceforge, or derek at helloworld dot sh.

on the database server:

  • required packages: postgresql, p5-DBI, and p5-DBD-Pg
  • from cpan, install NetPacket
  • drop pflog.pm into /usr/local/libdata/perl5/site_perl/NetPacket
  • create the postgresql database and user
  • install pl/pgsql for that new database (or in template1 before creating it)
  • be sure that the firewall and web server are allowed to connect to the database
  • load the dbschema into your new database (psql dbname dbuser <dbschema)
  • put pfdecode somewhere like /usr/local/sbin and modify its db connection info
  • start pfdecode (can be run as anybody)

on the firewall:

  • required packages: postgresql, p5-DBI, and p5-DBD-Pg
  • install -d -o root -g wheel -m 600 /var/pfqueue
  • build pfdump (gcc -lpcap -o pfdump pfdump.c) and put it somewhere like /usr/local/sbin
    (ignore the mktemp warning, see todo: section below)
  • place pfinsert in the likes of /usr/local/sbin and modify its db connection info
  • start pfdump and pfinsert

on the web server:

  • required packages: php4-core, php4-pgsql
  • put pfview.php into your htdocs and modify its db connection info

todo:

  • have pfdump.c and pfinsert run as 2 different non-root users. then i can drop the file locking methods in favor of a chown or chmod. in turn, i can then use mkstemp. this will take care of that compile warning ;)
  • have pfdecode (or maybe a separate script) handle deleting aged information from the decoded area of the database. also, come up with a nice way to regenerate such data from the raw table.
  • get granular with database permissions so that all programs involved can only do as much as they need.
  • pfviewer.php should be much cooler
  • make use of schemas in postgresql to handle multiple firewalls
  • make this web page less ugly
  • support mysql