Loggning i PF

[Janne Johansson]

On Wed, Mar 23, 2011 at 15:39+0100, Sven-ke Svensson (sa at mbg.se) wrote:
> Ser ut som om det hjälpte med att sätta "-s 1600". Men bara om man
> startade en ny session av pflogd och loggade till en annan fil. Försökte
> jag med att sätta flaggan i /etc/rc.conf så blev det ingen data i filen
> alls. Men detta räcker för ändamålet.

Tycker mansidan för pflogd säger rätt mycket om hur den hanterar
filerna:
     If the log file contains data after a restart or a SIGHUP, new
     logs are
     appended to the existing file.  If the existing log file was
     created with
     a different snaplen, pflogd temporarily uses the old snaplen to
     keep the
     log file consistent.

     pflogd tries to preserve the integrity of the log file against
     I/O
     errors.  Furthermore, integrity of an existing log file is
     verified
     before appending.  If there is an invalid log file or an I/O
     error, the
     log file is moved out of the way and a new one is created.  If a
     new file
     cannot be created, logging is suspended until a SIGHUP or a
     SIGALRM is
     received.


-- 
"Backwards compatible" means: "if it isn't backwards, it's not compatible."