Send OpenBSD PF statistics to Graphite
Switch branches/tags
Nothing to show
Clone or download


Send pflog statistics to Graphite (via statsd) for monitoring visualization.

Send pf counter info to Graphite to Graphite (via carbon) for monitoring visualization and dashboards.


  • Python (at least 2.7.x)
  • Statsd (for inclusion of statistics into Graphite)


The pflog-graphite directory is expected to be deployed as /usr/local/pf-graphite.

The script itself is pflog_graphite_poller, running under the Python interpreter.

Included is an rc.d script so script can be included in system startup, and controlled via /etc/rc.d/pflog_graphite_poller.

Also included if pfcount_graphite_poller, which takes the output of pfctl -s info and sends that to Graphite via Carbon.


In /etc/rc.conf.local, ensure pflog_graphite_poller is part of the pkg_scripts variable.

Also needed are several variable specifications:

pflog_graphite_poller_flags="--pflog pflog0 --statsd statsdhost:8125"

The script itself must run as root, since it initiates a tcpdump behind the scenes. We must also specify a pflog interface to read logged packages from pf. If you intend to sends the statistic to Statsd, that parameter must be passed a host:port pair.

Your pf.conf should include rules with a log argument if you intend for them to be parsed by this script and sent to stated.

rc.d-pflog_graphite_poller must be copied to /etc/rc.d as 'pflog_graphite_poller'.

Once all these files and configuration values are in place, start the poller:

/etc/rc.d/pflog_graphite_poller start

To configure the pfcount_graphite_poller script, copy the provided rc.d-pfcount_graphite_poller script to /etc/rc.d/ and add the following to the pkg_scripts variable in /etc/rc.conf.local:



Given the command line

./pflog_graphite_poller --pflog pflog0 --debug

Output on the command line, when displaying debug output, would display along the lines of the following:

20130120T08:04:34 DEBUG Raw tcpdump output: Jan 20 08:04:34.527137 rule 1/(match) block in on em0: XXX.XXX.XXX.XXX.1234 > YYY.YYY.YYY.YYY.9876: S 462810291:462810291(0) win 14600 <mss 1460,sackOK,timestamp 955663583 0,nop,wscale 6> (DF) [tos 0x20]

20130120T08:04:34 DEBUG Tcpdump dict: {'direction': 'in', 'rule_number': '1', 'src_ip': 'XXX.XXX.XXX.XXX.1234', 'datetime_stamp': 'Jan 20 08:04:34.527137', 'action': 'block', 'interface': 'em0', 'dest_ip': 'YYY.YYY.YYY.YYY.9876:'}

20130120T08:04:34 INFO Incrementing statsd path:

20130120T08:04:34 DEBUG Done incrementing statsd.

This shows the raw tcpdump output, parsed tcpdump output into its relevant parts (if possible), and a composed metric for sending to statsd.