Bug #2626
closed
Patch included: syslog.conf allows duplicate logging of daemon.info messages (e.g. from snort or dnsmasq)
100%
Description
Took me a while to hunt this down, and it's the same issue as reported in:
http://forum.pfsense.org/index.php?topic=46483.0
and
http://forum.pfsense.org/index.php/topic,30889.0.html
and
http://forum.pfsense.org/index.php/topic,18636.0.html
To find the problem, first I edited /etc/inc/system.inc to add the -vv option when starting syslogd:
@ -584,9 +584,9 @
// Are we logging to a least one remote server ?
if(strpos($syslogconf, "@") != false)
- $retval = mwexec_bg("/usr/sbin/syslogd c -c -l /var/dhcpd/var/run/log -f {$g['varetc_path']}/syslog.conf");
+ $retval = mwexec_bg("/usr/sbin/syslogd -c -c -l /var/dhcpd/var/run/log -f {$g['varetc_path']}/syslog.conf -vv");
else {
$retval = mwexec_bg("/usr/sbin/syslogd -c -c -l /var/dhcpd/var/run/log -f {$g['varetc_path']}/syslog.conf");
+ $retval = mwexec_bg("/usr/sbin/syslogd -c -c -l /var/dhcpd/var/run/log -f {$g['varetc_path']}/syslog.conf -vv");
}} else {Then restart syslogd by clicking 'apply' in the syslog settings page to make it pick up the new config. Now syslogd includes the facility and level with each message:
Sep 7 02:18:25 <daemon.notice> floe snort54230: Found pid path directive (/var/run)
Sep 7 02:18:25 <daemon.notice> floe snort54230: Found pid path directive (/var/run)
Sep 7 02:18:25 <daemon.notice> floe snort54230: Running in IDS mode
Sep 7 02:18:25 <daemon.notice> floe snort54230: Running in IDS mode
It seems the duplicate messages are daemon.notice. Examining /var/etc/syslog.conf for an explanation, it appears as though two distinct logging predicates will match daemon.notice, and both dump to system.log
*.notice;kern.debug;lpr.info;mail.crit
and
auth.info;authpriv.info;daemon.info
It looks like syslog.conf is generated by /etc/inc/system.inc, so that's where I tested a fix. The following patch fixes the double-logging problem for daemon.info messages by moving the daemon.info predicate for the system.log destination into the *.notice line.
[2.0.1-RELEASE][admin@floe.4952]/etc/inc(278): diff u system.inc.bk system.inc system.inc.bk 2012-09-07 02:47:17.000000000
--0700.notice;kern.debug;lpr.info;mail.crit; {$log_directive}{$g['varlog_path']}/system.log
++ system.inc 2012-09-07 03:00:04.000000000 -0700@ -539,11 +539,11 @
local3.* {$log_directive}{$g['varlog_path']}/vpn.log
local4.* {$log_directive}{$g['varlog_path']}/portalauth.log
local7.* {$log_directive}{$g['varlog_path']}/dhcpd.log
.notice;kern.debug;lpr.info;mail.crit;daemon.info {$log_directive}{$g['varlog_path']}/system.log
news.err;local0.none;local3.none;local4.none; {$log_directive}{$g['varlog_path']}/system.log
local7.none {$log_directive}{$g['varlog_path']}/system.log
security.* {$log_directive}{$g['varlog_path']}/system.log
-auth.info;authpriv.info;daemon.info {$log_directive}{$g['varlog_path']}/system.log
+auth.info;authpriv.info {$log_directive}{$g['varlog_path']}/system.log
auth.info;authpriv.info |exec /usr/local/sbin/sshlockout_pf 15
*.emerg *
Note that this may not apply for all possible configurations (e.g. I'm not using any remote syslog servers), but works for me.
Cheers,
-dre
Updated by 
Updated by