Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Login

    How to know which rule a syslog entry is referring to?

    Off-Topic & Non-Support Discussion
    2
    5
    3.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jobsoft
      last edited by

      I know this is probably written down somewhere, and, I realize it is probably a FreeBSD-level thing, but, how can I pinpoint which rule an entry in syslog from pfsense/pf is referring to:

      Feb  3 11:32:49 fastgate pf: 000277 rule 880/0(match): block in on xl2:

      Ie, how can I know what "880/0" is referring to?

      Thanks,

      Mark

      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by

        Either use the webgui to view status>systemlogs, firewall. Clicking the icon in front of the line will tell you which rule caused the block including description of the rule. If you need to remotely resolve syslogs to the appropriate rule you need a copy of /tmp/rules.debug from the time the logging took place. You can grab it at either at diagnostics>command and download it or view it at diagnostics>edit file. As pfSense regenerates the rules.debug on changes or when needed (e.g. WAN IP changes, loadbalancer status changes, …) it might not make sense checking an old logged event against a new rules.debug.

        1 Reply Last reply Reply Quote 0
        • J
          jobsoft
          last edited by

          I follow you on the dynamic nature of /tmp/rules.debug, but, assuming the current pfsense "instance" (when the current /tmp/rules.debug is in play), what (and/or what line) in /tmp/rules.debug is "880/0" pointing/referring to so that I, knowing only "880/0", would know the rule "880/0" is referencing???  I assume that "880/0" must mean something or it would not be in the log entry.

          1 Reply Last reply Reply Quote 0
          • J
            jobsoft
            last edited by

            I am going to answer my own query!  :-)

            I found this info elsewhere and thought it may be useful here.

            There are a couple of ways.  Both ways are from the FreeBSD shell prompt.

            pfctl -vvs rules

            will generate a list to STDOUT

            pftop -v rules

            is an interactive (PgUp/PgDown) way of scrolling through the same set.

            I would be useful (I think) to incorporate this under Diagnostics in the future as it can be real handy to be able to correlate precisely what rule in the raw logging output a particular match occurred on.  I do syslog to another syslog server.

            FWIW

            Mark

            @jobsoft:

            I follow you on the dynamic nature of /tmp/rules.debug, but, assuming the current pfsense "instance" (when the current /tmp/rules.debug is in play), what (and/or what line) in /tmp/rules.debug is "880/0" pointing/referring to so that I, knowing only "880/0", would know the rule "880/0" is referencing???  I assume that "880/0" must mean something or it would not be in the log entry.

            1 Reply Last reply Reply Quote 0
            • J
              jobsoft
              last edited by

              One additional mod to the pfctl form:

              If you want to quickly pull out a single rule:

              pfctl -vvs rules | grep "^@ <rulenum>"</rulenum>

              Where is the rule number you are seeking.  The space before my closing double quote was on purpose to terminate the pattern so that ONLY the rule number being sought is returned.  Otherwise, the above might also match some other rule number that started off with the rule number you are seeking.  Ie, '77' and '77x' (x = 0 thru 9) would all match.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post