Project

General

Profile

Actions

Bug #2626

closed

Patch included: syslog.conf allows duplicate logging of daemon.info messages (e.g. from snort or dnsmasq)

Added by Andre LaBranche about 12 years ago. Updated over 11 years ago.

Status:
Resolved
Priority:
Normal
Category:
Logging
Target version:
Start date:
09/07/2012
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.0.1
Affected Architecture:

Description

Took me a while to hunt this down, and it's the same issue as reported in:

http://forum.pfsense.org/index.php?topic=46483.0
and
http://forum.pfsense.org/index.php/topic,30889.0.html
and
http://forum.pfsense.org/index.php/topic,18636.0.html

To find the problem, first I edited /etc/inc/system.inc to add the -vv option when starting syslogd:

@ -584,9 +584,9 @

// Are we logging to a least one remote server ?
if(strpos($syslogconf, "@") != false)
- $retval = mwexec_bg("/usr/sbin/syslogd c -c -l /var/dhcpd/var/run/log -f {$g['varetc_path']}/syslog.conf");
+ $retval = mwexec_bg("/usr/sbin/syslogd -c -c -l /var/dhcpd/var/run/log -f {$g['varetc_path']}/syslog.conf -vv");
else {
$retval = mwexec_bg("/usr/sbin/syslogd -c -c -l /var/dhcpd/var/run/log -f {$g['varetc_path']}/syslog.conf");
+ $retval = mwexec_bg("/usr/sbin/syslogd -c -c -l /var/dhcpd/var/run/log -f {$g['varetc_path']}/syslog.conf -vv");
}
} else {

Then restart syslogd by clicking 'apply' in the syslog settings page to make it pick up the new config. Now syslogd includes the facility and level with each message:

Sep 7 02:18:25 <daemon.notice> floe snort54230: Found pid path directive (/var/run)
Sep 7 02:18:25 <daemon.notice> floe snort54230: Found pid path directive (/var/run)
Sep 7 02:18:25 <daemon.notice> floe snort54230: Running in IDS mode
Sep 7 02:18:25 <daemon.notice> floe snort54230: Running in IDS mode

It seems the duplicate messages are daemon.notice. Examining /var/etc/syslog.conf for an explanation, it appears as though two distinct logging predicates will match daemon.notice, and both dump to system.log

*.notice;kern.debug;lpr.info;mail.crit
and
auth.info;authpriv.info;daemon.info

It looks like syslog.conf is generated by /etc/inc/system.inc, so that's where I tested a fix. The following patch fixes the double-logging problem for daemon.info messages by moving the daemon.info predicate for the system.log destination into the *.notice line.

[2.0.1-RELEASE][]/etc/inc(278): diff u system.inc.bk system.inc
--
system.inc.bk 2012-09-07 02:47:17.000000000 0700
++ system.inc 2012-09-07 03:00:04.000000000 -0700
@ -539,11 +539,11 @
local3.* {$log_directive}{$g['varlog_path']}/vpn.log
local4.* {$log_directive}{$g['varlog_path']}/portalauth.log
local7.* {$log_directive}{$g['varlog_path']}/dhcpd.log
.notice;kern.debug;lpr.info;mail.crit; {$log_directive}{$g['varlog_path']}/system.log
.notice;kern.debug;lpr.info;mail.crit;daemon.info {$log_directive}{$g['varlog_path']}/system.log
news.err;local0.none;local3.none;local4.none; {$log_directive}{$g['varlog_path']}/system.log
local7.none {$log_directive}{$g['varlog_path']}/system.log
security.* {$log_directive}{$g['varlog_path']}/system.log
-auth.info;authpriv.info;daemon.info {$log_directive}{$g['varlog_path']}/system.log
+auth.info;authpriv.info {$log_directive}{$g['varlog_path']}/system.log
auth.info;authpriv.info |exec /usr/local/sbin/sshlockout_pf 15
*.emerg *

Note that this may not apply for all possible configurations (e.g. I'm not using any remote syslog servers), but works for me.

Cheers,
-dre

Actions

Also available in: Atom PDF