Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfBlockerNG crontab-based restart causes SyslogNG restart: SyslogNG sends the same entire log file each time to my SIEM

    Scheduled Pinned Locked Moved General pfSense Questions
    13 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S
      stephenw10 Netgate Administrator
      last edited by

      You are using syslog-ng locally on pfSense to export to your external syslog server?

      It's the sysog-ng service that's restarting?

      M 1 Reply Last reply Reply Quote 0
      • M
        mauro.tridici @stephenw10
        last edited by

        Hello @stephenw10 ,

        yes I'm using syslog-ng locally on pfSense to export logs to the SIEM.
        I don't know why, but it seems that when pfBlockerNG restarts automatically at 00:00 also syslog-ng is restarted.

        And this is the cause of duplicate logs sending.
        Is there a way to fix this behavior?

        Thank you,
        Mauro

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          Why are you using syslog-ng rather than exporting directly?

          What shown in the logs when pfBlocker updates and syslog-ng restarts?

          M 1 Reply Last reply Reply Quote 0
          • M
            mauro.tridici @stephenw10
            last edited by

            I don't know how to export logs from pfblockerng "directly" without using syslog-ng.
            I followed the instructions contained in this conversation:

            https://forum.netgate.com/topic/180605/how-to-send-pfblockerng-logs-to-remote-log-server-wazuh-siem

            This is what I see in the pfBlockerng logs during the update:

            CRON PROCESS START [ v3.2.0_4 ] [ 07/5/23 00:00:00 ]
            [ compromised_v4 ]
            Remote timestamp: Tue, 4 Jul 2023 21:13:10 GMT
            Local timestamp: Mon, 3 Jul 2023 18:46:18 GMT Update found
            UPDATE PROCESS START [ v3.2.0_4 ] [ 07/5/23 00:00:04 ]

            ===[ DNSBL Process ]================================================

            ===[ GeoIP Process ]============================================

            [ pfB_Top_v4 ] exists. [ 07/5/23 00:00:05 ]

            ===[ IPv4 Process ]=================================================

            [ ip_cred_theft_custom_v4 ] exists.
            [ compromised_v4 ] Downloading update .. 200 OK. completed ..

            Aggregation Stats:

            Original Final

            403 402

            ===[ Aliastables / Rules ]==========================================

            No changes to Firewall rules, skipping Filter Reload

            Updating: pfB_compromised_v4
            18 addresses added.19 addresses deleted.

            UPDATE PROCESS ENDED [ 07/5/23 00:00:09 ]

            And this is the SYSLOG-NG log file content:

            Jul 5 00:00:00 pfSense_LAN syslog-ng[22079]: Configuration reload finished;
            Jul 5 00:00:00 pfSense_LAN syslog-ng[22079]: Configuration reload request received, reloading configuration;
            Jul 5 00:00:14 pfSense_LAN syslog-ng[22079]: The current log file has a mismatching size/inode information, restarting from the beginning; state='affile_sd_curpos(/var/log/pfblockerng/ip_block.log)', stored_inode='944', cur_file_inode='1286', stored_size='3361864', cur_file_size='3202961', raw_stream_pos='3361716'

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              Ah for the pfBlocker logs, I see.

              If syslog-ng is watching the pfBlocker log file and that is rotated then I would expect that. It appears syslog-ng is seeing the file has changed and restarts and then presumably resends everything from that file?

              M 1 Reply Last reply Reply Quote 0
              • M
                mauro.tridici @stephenw10
                last edited by

                Yes, that's exactly what happens.
                To avoid this behaviour, I should disable pfBlockerNG daily update (and restart), but I think it is not good practice.

                Do you think there is a workaround to solve this issue?

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  I'm not aware of anything to workaround that.

                  Are you running 2.6? Have you tested this in 2.7?

                  M 1 Reply Last reply Reply Quote 0
                  • M
                    mauro.tridici @stephenw10
                    last edited by

                    Yes, Steve. I'm running pfSense v.2.6
                    I can try to test the 2.7.
                    I will take a look at 2.7 changelog file as well.

                    M 1 Reply Last reply Reply Quote 0
                    • M
                      mauro.tridici @mauro.tridici
                      last edited by

                      Hello @stephenw10 ,

                      this is to inform you that I solved the issue adding this line in the "cron" case statement in "/usr/local/www/pfblockerng/pfblockerng.php" file:

                      exec("cat /dev/null > /var/log/pfblockerng/ip_block.log");
                      exec("cat /dev/null > /var/log/pfblockerng/unified.log");

                      I hope there is no side effect :)

                      Have a great day,
                      Mauro

                      1 Reply Last reply Reply Quote 1
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        Cool, if that works for you I would expect any issues. Since you're exporting all the logs you don't need them locally.

                        1 Reply Last reply Reply Quote 1
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.