WebGUI populates syslog when dashboard running

kesawi

I'm currently running pfSense 2.3.1-RELEASE-p5 and have found it writing all WebGUI requests to syslog. I've unchecked the Log errors from the web server process under the Status/System Logs/Settings menu but this hasn't stopped it from writing log entires.

21/06/2016	21:12:50	Information	pfsense.host.net	local5	nginx	10.X.X.X - - [21/Jun/2016:21:12:50 +1000] "GET /system_advanced_admin.php HTTP/1.1" 200 6144 "https://pfsense.host.net/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0"
21/06/2016	21:12:49	Information	pfsense.host.net	local5	nginx	10.X.X.X - - [21/Jun/2016:21:12:49 +1000] "GET /widgets/widgets/dyn_dns_status.widget.php?getdyndnsstatus=yes HTTP/1.1" 200 78 "https://pfsense.host.net/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0"
21/06/2016	21:12:47	Information	pfsense.host.net	local5	nginx	10.X.X.X - - [21/Jun/2016:21:12:47 +1000] "POST /widgets/widgets/interface_statistics.widget.php HTTP/1.1" 200 329 "https://pfsense.host.net/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0"
21/06/2016	21:12:47	Information	pfsense.host.net	local5	nginx	10.X.X.X - - [21/Jun/2016:21:12:47 +1000] "GET /ifstats.php?if=ovpnc2 HTTP/1.1" 200 65 "https://pfsense.host.net/graph.php?ifnum=opt3&ifname=OPT3&timeint=10&initdelay=4" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0"
21/06/2016	21:12:47	Information	pfsense.host.net	local5	nginx	10.X.X.X - - [21/Jun/2016:21:12:47 +1000] "GET /ifstats.php?if=lagg0_vlan50 HTTP/1.1" 200 64 "https://pfsense.host.net/graph.php?ifnum=opt1&ifname=OPT1&timeint=10&initdelay=2" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0"
21/06/2016	21:12:47	Information	pfsense.host.net	local5	nginx	10.X.X.X - - [21/Jun/2016:21:12:47 +1000] "GET /ifstats.php?if=lagg0_vlan55 HTTP/1.1" 200 65 "https://pfsense.host.net/graph.php?ifnum=opt2&ifname=OPT2&timeint=10&initdelay=2" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0"
21/06/2016	21:12:47	Information	pfsense.host.net	local5	nginx	10.X.X.X - - [21/Jun/2016:21:12:47 +1000] "GET /ifstats.php?if=igb5 HTTP/1.1" 200 68 "https://pfsense.host.net/graph.php?ifnum=wan&ifname=WAN&timeint=10&initdelay=2" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0"
21/06/2016	21:12:47	Information	pfsense.host.net	local5	nginx	10.X.X.X - - [21/Jun/2016:21:12:47 +1000] "GET /ifstats.php?if=lagg0_49 HTTP/1.1" 200 66 "https://pfsense.host.net/graph.php?ifnum=lan&ifname=LAN&timeint=10&initdelay=2" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0"
21/06/2016	21:12:47	Information	pfsense.host.net	local5	nginx	10.X.X.X - - [21/Jun/2016:21:12:47 +1000] "POST /widgets/widgets/gateways.widget.php HTTP/1.1" 200 227 "https://pfsense.host.net/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0"
21/06/2016	21:12:47	Information	pfsense.host.net	local5	nginx	10.X.X.X - - [21/Jun/2016:21:12:47 +1000] "GET /graph.php?ifnum=opt3&ifname=OPT3&timeint=10&initdelay=4 HTTP/1.1" 200 10532 "https://pfsense.host.net/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0"
21/06/2016	21:12:47	Information	pfsense.host.net	local5	nginx	10.X.X.X - - [21/Jun/2016:21:12:47 +1000] "GET /graph.php?ifnum=opt1&ifname=OPT1&timeint=10&initdelay=2 HTTP/1.1" 200 10546 "https://pfsense.host.net/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0"
21/06/2016	21:12:47	Information	pfsense.host.net	local5	nginx	10.X.X.X - - [21/Jun/2016:21:12:47 +1000] "GET /graph.php?ifnum=opt2&ifname=OPT2&timeint=10&initdelay=2 HTTP/1.1" 200 10546 "https://pfsense.host.net/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0"
21/06/2016	21:12:47	Information	pfsense.host.net	local5	nginx	10.X.X.X - - [21/Jun/2016:21:12:47 +1000] "GET /graph.php?ifnum=lan&ifname=LAN&timeint=10&initdelay=2 HTTP/1.1" 200 10542 "https://pfsense.host.net/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0"
21/06/2016	21:12:47	Information	pfsense.host.net	local5	nginx	10.X.X.X - - [21/Jun/2016:21:12:47 +1000] "GET /graph.php?ifnum=wan&ifname=WAN&timeint=10&initdelay=2 HTTP/1.1" 200 10528 "https://pfsense.host.net/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0"
21/06/2016	21:12:46	Information	pfsense.host.net	local5	nginx	10.X.X.X - - [21/Jun/2016:21:12:46 +1000] "POST /widgets/widgets/gateways.widget.php HTTP/1.1" 200 224 "https://pfsense.host.net/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0"
21/06/2016	21:12:46	Information	pfsense.host.net	local5	nginx	10.X.X.X - - [21/Jun/2016:21:12:46 +1000] "GET / HTTP/1.1" 200 16739 "https://pfsense.host.net/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0"

Gertjan

Hi,

Your are 'syslogging' to a remote syslog server, right ?
I see the same thing. Since nginx came on board, the entire web server log is send to the remote syslog server.

I found a work solution : do not visit the web GUI - which often happens, because when the box has been set up, it doesn't need you attention anymore.
Better solution : an option to exclude normal (GUI) web server traffic is missing on the system log page.

kesawi

Yes I am remote logging.

While I would love not to have to visit the webGUI I've been troubleshooting my setup so unfortunately that is not an option. I also like to review the logs and webGUI regularly for any issues.

AWeidner

After setting up a new rsyslog-server (CentOS 7) this week, i see the same behaviour. It must be something completely different from standard because i set up rsyslog to truncate the domain name. That works for all messages, except those submitted by nginx on pfSense.

It clutters up the log results and i think there should be a fix for this.

We have six pfSense 2.3.2 boxes, of which five are full installs and one is a nano image with VGA.

The same problem is reported here: https://forum.pfsense.org/index.php?topic=112880.0

luckman212

Greetings from 2025.

This bug still exists in pfSense+ 24.11. Would be nice to see it squashed!

related: https://redmine.pfsense.org/issues/12833

Gertjan

@luckman212

If your pfSense web GUI access gets "hit hard" by device that shouldn't hit that pfSense web interface, what about a firewall rule to stop this from happening ?

The nginx web server will log access requests it receives, no matter what. After all, it has been said in the same redmine :

Jim said : That is a raw web server log, it's not meant to only show notable events, but every access of the web server. That's why it's off on its own tab.
It's doing exactly what it's should be doing and logging every request. It's a security concern. If you have no idea what is hitting your GUI making requests that end up in the log, you should be looking into why that is happening, not trying to suppress the logs.

The only way to calm down this log is : Allow only devices that need to connect to the pfSense GUI, disallow all the others. Create a firewall rule, and call it a day ?!

A possible implementation could be : use the pfSense LAN interface for your trusted devices
Create more LAN type networks for all the other type of users, and on these interfaces : no SSH access, no GUI access.

Btw : If the "Log web server errors" option is checked, these errors will also be logged. These are normally less important, as by there nature : errors won't produce valid web requests anyway so, imho, less of a security issue.

luckman212

@Gertjan I'm all for logging as much as possible! (hence why I set up a Graylog server in the first place). My only gripe was that these nginx access logs were being piped through syslog and making it hard to filter the wheat from the chaff. Even just 1 or 2 devices (yes these devices are "supposed" to have access, so we are not talking about rogues trying to hack in)– accessing a dashboard page generates multiple log entries per second.

I will probably "solve" this from the Graylog side with some custom pipeline rules, but in my opinion, "normal" nginx access logs belong in /var/log/nginx/access.log like on a standard system, and can be reviewed there if needed. And a checkbox like

• Send nginx access logs to external syslog server

Would be ideal for those who want that level of verbosity.

Gertjan

@luckman212 said in WebGUI populates syslog when dashboard running:

but in my opinion, "normal" nginx access logs belong in /var/log/nginx/access.log like on a standard system,

A normal FreeBSD, or actually any OS, true, and that folder and file even exist.
Or, pfSense isn't 'normal, it groups all log files into the same /var/log/

That said, if you trust your devices - trust yourself and those who access pfSense, then there is nothing that can stop you from doing what you want : change the default pfSense behaviour.

Have a look at /var/etc/nginx-webConfigurator.conf - probably line 22.

Because it's just for you, no need to create a

go ahead a change this one : here it is.

and I get it, that "Status > System Logs > System > GUI Service" log only has - default - 2000 entries are so, which means "useful info" will be gone pretty fast. to send it to a remote syslogger right away, and your internal pfSense drive will say "thank you". Knowing that some of us use internal drives that just 'die' if to much solicited ...
I'm pretty sure this access_log option permits you to do do.
Best solution imho would be : make you own patch, and put it into the System > Patches.
Then click on it, and your own patch is active. (you will have to restart the nginx web server process)
Click again, and your pfSense is 'native' again.

Anyway, that is what I would do ^^