Remote syslog: Everything doesn't mean it
-
I don't know if this is a new issue or not, but I've got a 1.2.3-snapshot (built on Tue Aug 11 15:23:31 EDT 2009) where I enabled "Everything" for remote syslog, but not everything actually makes it to the remove syslog server.
For example, ipsec/racoon logs weren't making it.
After selecting everything including Everything (system events, firewall events, DHCP service events, Portal Auth, VPN events, Everything) I'm now seeing ipsec/racoon messages as expected.
Also, I also noticed that it had stopped sending out remote syslogs after we had an internal networking issue (our switch died) and it never started sending syslogs again until I re-saved the config. Anyone ever see it do that before?
-
I had a similar experience with the latest snapshot. In fact, checking "Everything" by itself sends nothing to my syslog daemon.
-
It would help to see the contents of your /etc/syslog.conf before and after you have "everything" checked vs the options checked individually.
-
OK, here it is with just Everything checked:
!ntpdate,!ntpd *.* %/var/log/ntpd.log !apinger *.* %/var/log/slbd.log !racoon *.* %/var/log/ipsec.log !openvpn *.* %/var/log/openvpn.log !-ntpd,racoon,openvpn local0.* %/var/log/filter.log local3.* %/var/log/vpn.log local4.* %/var/log/portalauth.log local7.* %/var/log/dhcpd.log *.notice;kern.debug;lpr.info;mail.crit; %/var/log/system.log news.err;local0.none;local3.none;local4.none; %/var/log/system.log local7.none %/var/log/system.log security.* %/var/log/system.log auth.info;authpriv.info;daemon.info %/var/log/system.log local1.* %/var/log/slbd.log auth.info;authpriv.info |exec /usr/local/sbin/sshlockout_pf *.emerg * *.* @10.2.1.13And here it is with everything and Everything checked:
!ntpdate,!ntpd *.* %/var/log/ntpd.log !apinger *.* %/var/log/slbd.log !racoon *.* %/var/log/ipsec.log *.* @10.2.1.13 !openvpn *.* %/var/log/openvpn.log *.* @10.2.1.13 !-ntpd,racoon,openvpn local0.* %/var/log/filter.log local3.* %/var/log/vpn.log local4.* %/var/log/portalauth.log local7.* %/var/log/dhcpd.log *.notice;kern.debug;lpr.info;mail.crit; %/var/log/system.log news.err;local0.none;local3.none;local4.none; %/var/log/system.log local7.none %/var/log/system.log security.* %/var/log/system.log auth.info;authpriv.info;daemon.info %/var/log/system.log local1.* %/var/log/slbd.log auth.info;authpriv.info |exec /usr/local/sbin/sshlockout_pf *.emerg * local0.* @10.2.1.13 local3.* @10.2.1.13 local4.* @10.2.1.13 local7.* @10.2.1.13 *.notice;kern.debug;lpr.info;mail.crit; @10.2.1.13 news.err;local0.none;local3.none;local7.none @10.2.1.13 security.* @10.2.1.13 auth.info;authpriv.info;daemon.info @10.2.1.13 *.emerg @10.2.1.13 *.* @10.2.1.13 -
That's a new option to catch logs that the other options don't catch, which it does, but as far as truly catching everything it looks like I put that in the wrong place, I'll fix it when I get back from EuroBSDCon.
http://redmine.pfsense.org/issues/show/91 -
This is fixed now.
