Bug #5606
closed
syslog.conf misconfigured - many duplicate messages in system.log
0%
Description
The script /etc/inc/system.inc is generating a syslog.conf which is a little bit misconfigured. The original code of pfSense 2.2.4 contains a sequence like this in system.inc:
*.notice;kern.debug;lpr.info;mail.crit;daemon.none; {$log_directive}{$g['varlog_path']}/system.log
news.err;local0.none;local3.none;local4.none; {$log_directive}{$g['varlog_path']}/system.log
local7.none {$log_directive}{$g['varlog_path']}/system.log
security.* {$log_directive}{$g['varlog_path']}/system.log
auth.info;authpriv.info;daemon.info {$log_directive}{$g['varlog_path']}/system.log
...
$syslogconf .= system_syslogd_get_remote_servers($syslogcfg, "*.notice;kern.debug;lpr.info;mail.crit;");
$syslogconf .= system_syslogd_get_remote_servers($syslogcfg, "news.err;local0.none;local3.none;local7.none");
$syslogconf .= system_syslogd_get_remote_servers($syslogcfg, "security.*");
$syslogconf .= system_syslogd_get_remote_servers($syslogcfg, "auth.info;authpriv.info;daemon.info");
$syslogconf .= system_syslogd_get_remote_servers($syslogcfg, "*.emerg");
With this config every event from facility "auth", "authpriv" or "daemon" with severity level "info" or higher will be logged twice to the system.log and any optional configured syslog servers. This is also true for events from the facility "security" with severity level "notice" or higher and "news" with severity "err" or higher.
The problem is that there are five identical action fields in five different lines. When one selector (facility.level) matches the action will be executed but further processing of syslog.conf does not stop. It continues to the next line. If there is another match the action will be executed too.
So the solution is to write all selectors with the same action in ONE line:
*.notice;kern.debug;lpr.info;mail.crit;news.err;local0.none;local3.none;local4.none;local7.none;security.*;auth.info;authpriv.info;daemon.info {$log_directive}{$g['varlog_path']}/system.log
...
$syslogconf .= system_syslogd_get_remote_servers($syslogcfg, "*.emerg;*.notice;kern.debug;lpr.info;mail.crit;news.err;local0.none;local3.none;local4.none;local7.none;security.*;auth.info;authpriv.info;daemon.info");
Because the length of the facility-string now could be greater than the hardcoded value of 56 I would suggest to determine the length dynamically in the function "system_syslogd_get_remote_servers":
// $pad_to = 56; $pad_to = strlen($facility);
I attach the appropriate patch file for system.inc. It is for the previous version of pfSense 2.2.4. I use it for some days and it works great. No duplicate messages anymore. Please fix the bug in one of the next releases. Thank you.
Files
Updated by 
Updated by 
Updated by 
Updated by