Project

General

Profile

Actions

Bug #5606

closed

syslog.conf misconfigured - many duplicate messages in system.log

Added by Willy Tenner over 8 years ago. Updated over 8 years ago.

Status:
Resolved
Priority:
Normal
Category:
Logging
Target version:
Start date:
12/06/2015
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All

Description

The script /etc/inc/system.inc is generating a syslog.conf which is a little bit misconfigured. The original code of pfSense 2.2.4 contains a sequence like this in system.inc:

*.notice;kern.debug;lpr.info;mail.crit;daemon.none;             {$log_directive}{$g['varlog_path']}/system.log
news.err;local0.none;local3.none;local4.none;                   {$log_directive}{$g['varlog_path']}/system.log
local7.none                                                     {$log_directive}{$g['varlog_path']}/system.log
security.*                                                      {$log_directive}{$g['varlog_path']}/system.log
auth.info;authpriv.info;daemon.info                             {$log_directive}{$g['varlog_path']}/system.log

...

$syslogconf .= system_syslogd_get_remote_servers($syslogcfg, "*.notice;kern.debug;lpr.info;mail.crit;");
$syslogconf .= system_syslogd_get_remote_servers($syslogcfg, "news.err;local0.none;local3.none;local7.none");
$syslogconf .= system_syslogd_get_remote_servers($syslogcfg, "security.*");
$syslogconf .= system_syslogd_get_remote_servers($syslogcfg, "auth.info;authpriv.info;daemon.info");
$syslogconf .= system_syslogd_get_remote_servers($syslogcfg, "*.emerg");

With this config every event from facility "auth", "authpriv" or "daemon" with severity level "info" or higher will be logged twice to the system.log and any optional configured syslog servers. This is also true for events from the facility "security" with severity level "notice" or higher and "news" with severity "err" or higher.

The problem is that there are five identical action fields in five different lines. When one selector (facility.level) matches the action will be executed but further processing of syslog.conf does not stop. It continues to the next line. If there is another match the action will be executed too.

So the solution is to write all selectors with the same action in ONE line:

*.notice;kern.debug;lpr.info;mail.crit;news.err;local0.none;local3.none;local4.none;local7.none;security.*;auth.info;authpriv.info;daemon.info    {$log_directive}{$g['varlog_path']}/system.log

...

$syslogconf .= system_syslogd_get_remote_servers($syslogcfg, "*.emerg;*.notice;kern.debug;lpr.info;mail.crit;news.err;local0.none;local3.none;local4.none;local7.none;security.*;auth.info;authpriv.info;daemon.info");

Because the length of the facility-string now could be greater than the hardcoded value of 56 I would suggest to determine the length dynamically in the function "system_syslogd_get_remote_servers":

// $pad_to  = 56;
$pad_to  = strlen($facility);

I attach the appropriate patch file for system.inc. It is for the previous version of pfSense 2.2.4. I use it for some days and it works great. No duplicate messages anymore. Please fix the bug in one of the next releases. Thank you.


Files

system.inc.patch (1.41 KB) system.inc.patch patch file for system.inc (release 2.2.4) Willy Tenner, 12/06/2015 09:51 AM
Actions

Also available in: Atom PDF