Bug #10607: Remote syslog for "General Authentication Events" using wrong selectors - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Target - All Closed Issues
24.03 Plus - All Closed Issues
24.03 Target - All Closed Issues
24.11 Plus - All Closed Issues
24.11 Plus - All Open Issues
24.11 Plus - Feedback Issues
24.11 Plus - Needs Attention/Work
24.11 Plus - New/Confirmed/In Progress Issues
24.11 Target - All Closed Issues
24.11 Target - All Open Issues
25.01 Plus - All Closed Issues
25.01 Plus - All Open Issues
25.01 Plus - Feedback Issues
25.01 Plus - Needs Attention/Work
25.01 Plus - New/Confirmed/In Progress Issues
25.01 Plus - Pull Request Review
25.01 Plus - Waiting on Merge
25.01 Target - All Closed Issues
25.01 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Bug #10607

closed

Remote syslog for "General Authentication Events" using wrong selectors

Added by Jim Pingle over 4 years ago. Updated over 4 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Jim Pingle

Category:

Logging

Target version:

2.5.0

Start date:

05/28/2020

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

2.5.0

Affected Architecture:

All

Description

When "General Authentication Events" is selected, the remote syslog line uses "*.*" and not "auth.*;authpriv.*". This is causing unintended duplication of some log entries on the remote server, or more log entries than intended, depending on the options selected by the user.

This only affects 2.5.0 as that option is new there.

Likely also the cause of #10588

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Jim Pingle over 4 years ago

Status changed from Confirmed to Feedback
% Done changed from 0 to 100

Applied in changeset e2119c732291143e0e0eff4f2aa1be70554b6315.

Actions

Copy link

Updated by Russell Morris over 4 years ago

Thanks! Sorry, but a dumb question ... how to know when this will show up in an "official" build (to install, and confirm it's all working as expected)?

Thanks again.

Actions

Copy link

Updated by Jim Pingle over 4 years ago

It will be in the next 2.5.0 snapshot that includes it, so as soon as the build happens, likely later today.

Actions

Copy link

Updated by Russell Morris over 4 years ago

Sounds great, thanks! And appreciate all the help!

Actions

Copy link

Updated by Russell Morris over 4 years ago

Hi,

2.5.0 got updated today (or late yesterday) ... :-). So I installed, and it works - thanks! Just one minor thing (below) ... not sure if it matters or not, but just so you know about it (and also not sure how fussy / particular you are about it ... LOL).

In /var/etc/syslog.d/pfSense.conf, if I look at most "sections", they appear like this (example one here),

!ntp,ntpd,ntpdate
*.*                                                             /var/log/ntpd.log
*.*                                                             @remote-server

But, the updated "section" looks like this,

!*
auth.*;authpriv.*                                               /var/log/auth.log
auth.*;authpriv.*                                               @remote-server

Would you rather it be like this, so it matches all the others?

!auth,authpriv
*.*                                                             /var/log/auth.log
*.*                                                             @remote-server

It doesn't matter to me, just wanted to feed this back to you - so you can make the call.

Thanks again!

Actions

Copy link

Updated by Jim Pingle over 4 years ago

auth and authpriv are facilities, not process names, so that would not work. It's correct as it is. That section isn't like the others. The others want all log messages (facilities and levels) from specific processes. These want specific types of messages from all processes.

Actions

Copy link