Remote syslog for "General Authentication Events" using wrong selectors
When "General Authentication Events" is selected, the remote syslog line uses "*.*" and not "auth.*;authpriv.*". This is causing unintended duplication of some log entries on the remote server, or more log entries than intended, depending on the options selected by the user.
This only affects 2.5.0 as that option is new there.
Likely also the cause of #10588
#5 Updated by Russell Morris 5 months ago
2.5.0 got updated today (or late yesterday) ... :-). So I installed, and it works - thanks! Just one minor thing (below) ... not sure if it matters or not, but just so you know about it (and also not sure how fussy / particular you are about it ... LOL).
In /var/etc/syslog.d/pfSense.conf, if I look at most "sections", they appear like this (example one here),
!ntp,ntpd,ntpdate *.* /var/log/ntpd.log *.* @remote-server
But, the updated "section" looks like this,
!* auth.*;authpriv.* /var/log/auth.log auth.*;authpriv.* @remote-server
Would you rather it be like this, so it matches all the others?
!auth,authpriv *.* /var/log/auth.log *.* @remote-server
It doesn't matter to me, just wanted to feed this back to you - so you can make the call.
#6 Updated by Jim Pingle 5 months ago
auth and authpriv are facilities, not process names, so that would not work. It's correct as it is. That section isn't like the others. The others want all log messages (facilities and levels) from specific processes. These want specific types of messages from all processes.