pfBlockerNG crontab-based restart causes SyslogNG restart: SyslogNG sends the same entire log file each time to my SIEM

stephenw10

You are using syslog-ng locally on pfSense to export to your external syslog server?

It's the sysog-ng service that's restarting?

mauro.tridici

Hello @stephenw10 ,

yes I'm using syslog-ng locally on pfSense to export logs to the SIEM.
I don't know why, but it seems that when pfBlockerNG restarts automatically at 00:00 also syslog-ng is restarted.

And this is the cause of duplicate logs sending.
Is there a way to fix this behavior?

Thank you,
Mauro

stephenw10

Why are you using syslog-ng rather than exporting directly?

What shown in the logs when pfBlocker updates and syslog-ng restarts?

mauro.tridici

I don't know how to export logs from pfblockerng "directly" without using syslog-ng.
I followed the instructions contained in this conversation:

https://forum.netgate.com/topic/180605/how-to-send-pfblockerng-logs-to-remote-log-server-wazuh-siem

This is what I see in the pfBlockerng logs during the update:

CRON PROCESS START [ v3.2.0_4 ] [ 07/5/23 00:00:00 ]
[ compromised_v4 ]
Remote timestamp: Tue, 4 Jul 2023 21:13:10 GMT
Local timestamp: Mon, 3 Jul 2023 18:46:18 GMT Update found
UPDATE PROCESS START [ v3.2.0_4 ] [ 07/5/23 00:00:04 ]

===[ DNSBL Process ]================================================

===[ GeoIP Process ]============================================

[ pfB_Top_v4 ] exists. [ 07/5/23 00:00:05 ]

===[ IPv4 Process ]=================================================

[ ip_cred_theft_custom_v4 ] exists.
[ compromised_v4 ] Downloading update .. 200 OK. completed ..

Aggregation Stats:

Original Final

403 402

===[ Aliastables / Rules ]==========================================

No changes to Firewall rules, skipping Filter Reload

Updating: pfB_compromised_v4
18 addresses added.19 addresses deleted.

UPDATE PROCESS ENDED [ 07/5/23 00:00:09 ]

And this is the SYSLOG-NG log file content:

Jul 5 00:00:00 pfSense_LAN syslog-ng[22079]: Configuration reload finished;
Jul 5 00:00:00 pfSense_LAN syslog-ng[22079]: Configuration reload request received, reloading configuration;
Jul 5 00:00:14 pfSense_LAN syslog-ng[22079]: The current log file has a mismatching size/inode information, restarting from the beginning; state='affile_sd_curpos(/var/log/pfblockerng/ip_block.log)', stored_inode='944', cur_file_inode='1286', stored_size='3361864', cur_file_size='3202961', raw_stream_pos='3361716'

stephenw10

Ah for the pfBlocker logs, I see.

If syslog-ng is watching the pfBlocker log file and that is rotated then I would expect that. It appears syslog-ng is seeing the file has changed and restarts and then presumably resends everything from that file?

mauro.tridici

Yes, that's exactly what happens.
To avoid this behaviour, I should disable pfBlockerNG daily update (and restart), but I think it is not good practice.

Do you think there is a workaround to solve this issue?

stephenw10

I'm not aware of anything to workaround that.

Are you running 2.6? Have you tested this in 2.7?

mauro.tridici

Yes, Steve. I'm running pfSense v.2.6
I can try to test the 2.7.
I will take a look at 2.7 changelog file as well.

mauro.tridici

Hello @stephenw10 ,

this is to inform you that I solved the issue adding this line in the "cron" case statement in "/usr/local/www/pfblockerng/pfblockerng.php" file:

exec("cat /dev/null > /var/log/pfblockerng/ip_block.log");
exec("cat /dev/null > /var/log/pfblockerng/unified.log");

I hope there is no side effect :)

Have a great day,
Mauro

stephenw10

Cool, if that works for you I would expect any issues. Since you're exporting all the logs you don't need them locally.