Project

General

Profile

Bug #10776

filterlog: Loopback source/destination sometimes reports 127.0.0.1 as 127.0.01

Added by Bertram Truong 2 months ago. Updated 2 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
Category:
Logging
Target version:
Start date:
07/19/2020
Due date:
% Done:

0%

Estimated time:
Affected Version:
Affected Architecture:

Description

I'm setting up remote logging of the pfSense filterlog to my ES server, and seems that some of the logs are failing to be parsed because the source IP is showing as `127.0.01` (not a typo) sometimes.

For example, I might have a log that looks like this:

<134>Jul 18 06:46:13 filterlog: 70,,,1000002661,lo0,match,pass,in,4,0x0,,64,54355,0,none,17,udp,68,127.0.0.1,127.0.0.1,7698,53,488

The log above is parsed correctly, as it's a valid source IP and destination IP. However, subsequently, right after that I might get a log that looks like this:

<134>Jul 18 06:46:13 filterlog: 74,,,1000002665,lo0,match,pass,out,4,0x0,,64,52645,0,none,17,udp,68,127.0.01,127.0.0.1,3222,53,488

My parser will fail on the above log as the source IP is being written as 127.0.01. I've cross checked this with FreeBSD and seems like 127.0.01 is aliased to 127.0.0.1, but I can't seem to work out where that specific source IP is coming from.

History

#1 Updated by Jim Pingle 2 months ago

  • Category set to Logging
  • Status changed from New to Feedback
  • Assignee set to Luiz Souza
  • Target version set to 2.5.0

Bertram,

Can you check and confirm that the form of the address you see in the log is not present on your interface (ifconfig lo0) or anywhere in your config.xml?

Given that nobody else has reported it, it seems like it could be isolated to your environment, but not many people are logging traffic to/from localhost in that way either.

Also available in: Atom PDF