Project

General

Profile

Bug #10607

Remote syslog for "General Authentication Events" using wrong selectors

Added by Jim Pingle about 1 month ago. Updated about 1 month ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Logging
Target version:
Start date:
05/28/2020
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.5.0
Affected Architecture:
All

Description

When "General Authentication Events" is selected, the remote syslog line uses "*.*" and not "auth.*;authpriv.*". This is causing unintended duplication of some log entries on the remote server, or more log entries than intended, depending on the options selected by the user.

This only affects 2.5.0 as that option is new there.

Likely also the cause of #10588

Associated revisions

Revision e2119c73 (diff)
Added by Jim Pingle about 1 month ago

Correct selectors for remote auth logs. Fixes #10607

History

#1 Updated by Jim Pingle about 1 month ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100

#2 Updated by Russell Morris about 1 month ago

Thanks! Sorry, but a dumb question ... how to know when this will show up in an "official" build (to install, and confirm it's all working as expected)?

Thanks again.

#3 Updated by Jim Pingle about 1 month ago

It will be in the next 2.5.0 snapshot that includes it, so as soon as the build happens, likely later today.

#4 Updated by Russell Morris about 1 month ago

Sounds great, thanks! And appreciate all the help!

#5 Updated by Russell Morris about 1 month ago

Hi,

2.5.0 got updated today (or late yesterday) ... :-). So I installed, and it works - thanks! Just one minor thing (below) ... not sure if it matters or not, but just so you know about it (and also not sure how fussy / particular you are about it ... LOL).

In /var/etc/syslog.d/pfSense.conf, if I look at most "sections", they appear like this (example one here),

!ntp,ntpd,ntpdate
*.*                                                             /var/log/ntpd.log
*.*                                                             @remote-server

But, the updated "section" looks like this,

!*
auth.*;authpriv.*                                               /var/log/auth.log
auth.*;authpriv.*                                               @remote-server

Would you rather it be like this, so it matches all the others?

!auth,authpriv
*.*                                                             /var/log/auth.log
*.*                                                             @remote-server

It doesn't matter to me, just wanted to feed this back to you - so you can make the call.

Thanks again!

#6 Updated by Jim Pingle about 1 month ago

auth and authpriv are facilities, not process names, so that would not work. It's correct as it is. That section isn't like the others. The others want all log messages (facilities and levels) from specific processes. These want specific types of messages from all processes.

#7 Updated by Russell Morris about 1 month ago

Makes complete sense, thanks for clarifying. And appreciate all the help!

#8 Updated by Jim Pingle about 1 month ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF