Project

General

Profile

Actions

Bug #10588

closed

syslog (remote) receiving DHCP logging, even when disabled

Added by Russell Morris almost 4 years ago. Updated almost 4 years ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
Logging
Target version:
-
Start date:
05/23/2020
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:

Description

Hi,

I have DHCP logging disabled (for remote), and not "Everything" selected - yet my remote logs are getting a lot of DHCP related messages (e.g. DHCPOFFER, DHCPACK, etc.). I don't think this should be the case, right?

I think this relates to the "output" / controlling file, /var/etc/syslog.d/pfSense.conf. It has a bunch of lines like the following (actually, I count 13 of them ... LOL)
*.* @remote-server

I could be wrong, but if "Everything" is not selected, I'm thinking the *.* may not be quite right?

Thanks!

Actions #1

Updated by Jim Pingle almost 4 years ago

  • Status changed from New to Not a Bug

The "*.*" lines are fine as they are filtered on the process name from the line(s) above them ("!name").

There isn't enough info here to call it a bug yet. Please start a forum thread to discuss, and post your syslog config file and a packet capture of the log messages in question. You can redact private info like IP addresses but keep as much detail visible as possible.

Actions #2

Updated by Russell Morris almost 4 years ago

OK, will do. And the comment about the *.* was just my thinking ... :-). It still holds that the button is deselected (DHCP), but still seeing a bunch of DHCP messages in the remote syslog.

Thanks!

Actions #3

Updated by Russell Morris almost 4 years ago

Hi,

BTW, I just stumbled on to the fact that pfSense seems to be sending duplicate remote syslog messages for all log outputs (as part of digging in to this). Should I report this as a separate issue?

FYI, I confirmed this is happening by doing the following,
1) From the shell, running,
logger -t openvpn "My test message"

2) While doing #1 above, watching the output to the remote machine (another shell, in parallel),
tcpdump -nnlAs0 -i alc0.5 host 192.168.2.1 and port 514 | grep openvpn

I get the following (even the timestamps are identical - and yes, I replaced HOSTNAME :-)),
E..zq..................f. <13>1 2020-05-26T20:46:07.035604-05:00 HOSTNAME openvpn 50087 - - My test message
E..z.C.................f. <13>1 2020-05-26T20:46:07.035604-05:00 HOSTNAME openvpn 50087 - - My test message

Thanks!

Actions #4

Updated by Russell Morris almost 4 years ago

Posted the question to the forum, like you suggested - let's see if anyone has seen similar issues. But also, doing some digging, a couple items that make me a bit suspicious ... :-). I'm no expert here, for sure! So please yell if I have this wrong. And BTW, this is from the file /var/etc/syslog.d/pfSense.conf

1) Right at the top => doesn't !* match all apps? I can see then items going to auth.log (perfect), but the next line ... sends all items to the remote server, for all apps?

# Automatically generated, do not edit!
!*
auth.*;authpriv.*                                               /var/log/auth.log
*.*                                                             @remote-server

2) The very last line in the file => won't this send all items at notice level or above to the remote server (even if disabled, like dhcpd should be?)

*.emerg;*.notice;kern.debug;lpr.info;mail.crit;news.err;local0.none;local3.none;local7.none;security.*;auth.info;authpriv.info;daemon.info      @remote-server

So I did try commenting out these lines (one, then the other), forcing a restart (manual command) of syslog. My observations,
1) Commented out the *.* line ... I no longer get the double message send I noted above (both locally and remotely). Yay!
2) I need to mess with this one yet, as I have some other filtering on right now ... LOL. But I admit, the syntax on this one may be messign with me, I need to confirm.

So at least #1 here needs to be corrected, agreed?

Thanks!

Actions #5

Updated by Russell Morris almost 4 years ago

OK, never mind on 2) ... I think ... LOL. I believe that's my mis-read of the logic in the configuration file. But I do think that first one is an issue - it causes all and everything to be sent (even if Everything is not selected), and for items "not on the not list" (below), well - they send records twice.

The "not list",

!-ntp,ntpd,ntpdate,charon,ipsec_starter,openvpn,poes,l2tps,hostapd,dnsmasq,named,filterdns,unbound,dhcpd,dhcrelay,dhclient,dhcp6c,dpinger,radvd,routed,zebra,ospfd,ospf6d,bgpd,miniupnpd,igmpproxy,filterlog

Thanks!

Actions #6

Updated by Jim Pingle almost 4 years ago

OK, I was able to reproduce the problem with the auth log, I moved it over to #10607 -- it may be what caused the problem here as well.

Actions #7

Updated by Russell Morris almost 4 years ago

NP, thanks!

Actions

Also available in: Atom PDF