pfSense

OK, will do. And the comment about the *.* was just my thinking ... :-). It still holds that the button is deselected (DHCP), but still seeing a bunch of DHCP messages in the remote syslog.

Thanks!

Hi,

BTW, I just stumbled on to the fact that pfSense seems to be sending duplicate remote syslog messages for all log outputs (as part of digging in to this). Should I report this as a separate issue?

FYI, I confirmed this is happening by doing the following,
1) From the shell, running,
logger -t openvpn "My test message"

2) While doing #1 above, watching the output to the remote machine (another shell, in parallel),
tcpdump -nnlAs0 -i alc0.5 host 192.168.2.1 and port 514 | grep openvpn

I get the following (even the timestamps are identical - and yes, I replaced HOSTNAME :-)),
E..zq..................f. <13>1 2020-05-26T20:46:07.035604-05:00 HOSTNAME openvpn 50087 - - My test message
E..z.C.................f. <13>1 2020-05-26T20:46:07.035604-05:00 HOSTNAME openvpn 50087 - - My test message

Thanks!

Posted the question to the forum, like you suggested - let's see if anyone has seen similar issues. But also, doing some digging, a couple items that make me a bit suspicious ... :-). I'm no expert here, for sure! So please yell if I have this wrong. And BTW, this is from the file /var/etc/syslog.d/pfSense.conf

1) Right at the top => doesn't !* match all apps? I can see then items going to auth.log (perfect), but the next line ... sends all items to the remote server, for all apps?

# Automatically generated, do not edit!
!*
auth.*;authpriv.*                                               /var/log/auth.log
*.*                                                             @remote-server

2) The very last line in the file => won't this send all items at notice level or above to the remote server (even if disabled, like dhcpd should be?)

*.emerg;*.notice;kern.debug;lpr.info;mail.crit;news.err;local0.none;local3.none;local7.none;security.*;auth.info;authpriv.info;daemon.info      @remote-server

So I did try commenting out these lines (one, then the other), forcing a restart (manual command) of syslog. My observations,
1) Commented out the *.* line ... I no longer get the double message send I noted above (both locally and remotely). Yay!
2) I need to mess with this one yet, as I have some other filtering on right now ... LOL. But I admit, the syntax on this one may be messign with me, I need to confirm.

So at least #1 here needs to be corrected, agreed?

Thanks!

OK, never mind on 2) ... I think ... LOL. I believe that's my mis-read of the logic in the configuration file. But I do think that first one is an issue - it causes all and everything to be sent (even if Everything is not selected), and for items "not on the not list" (below), well - they send records twice.

The "not list",

!-ntp,ntpd,ntpdate,charon,ipsec_starter,openvpn,poes,l2tps,hostapd,dnsmasq,named,filterdns,unbound,dhcpd,dhcrelay,dhclient,dhcp6c,dpinger,radvd,routed,zebra,ospfd,ospf6d,bgpd,miniupnpd,igmpproxy,filterlog

Thanks!

OK, I was able to reproduce the problem with the auth log, I moved it over to #10607 -- it may be what caused the problem here as well.

NP, thanks!