Remote Logging -> Everything not working properly

cmcdonald

Just today I setup a VPS that will be acting as a receiver for my syslog events.  I am logging all of my PASS traffic through my guest interface so it should be spitting out hundreds of "pf" events per second. When I manually tick, "Firewall Events" and any other events that I wish, my remote server picks them up just fine. However, when I choose "Everything", I am not receiving anything from "pf" in my remote syslogs.

jimp

Check /var/etc/syslog.conf with the various options selected.

Post what it looks like in each state.

cmcdonald

@jimp:

Check /var/etc/syslog.conf with the various options selected.

Post what it looks like in each state.

The following conf is with these options checked: System, Firewall, DHCP, Portal, VPN, & Gateway

!radvd,routed,olsrd,zebra,ospfd,bgpd,miniupnpd
!ntp,ntpd,ntpdate
!ppp
!pptps
!poes
!l2tps
!racoon
*.* 								@199.15.x.x
!openvpn
*.* 								@199.15.x.x
!apinger
*.* 								@199.15.x.x
!dnsmasq,filterdns,unbound
*.* 								@199.15.x.x
!dhcpd,dhcrelay,dhclient
*.* 								@199.15.x.x
!relayd
!hostapd
!-ntp,ntpd,ntpdate,racoon,openvpn,pptps,poes,l2tps,relayd,hostapd,dnsmasq,filterdns,unbound,dhcpd,dhcrelay,dhclient,apinger,radvd,routed,olsrd,zebra,ospfd,bgpd,miniupnpd
local0.* 							@199.15.x.x
local3.* 							@199.15.x.x
local4.* 							@199.15.x.x
local7.* 							@199.15.x.x
*.notice;kern.debug;lpr.info;mail.crit; 			@199.15.x.x
news.err;local0.none;local3.none;local7.none 			@199.15.x.x
security.* 							@199.15.x.x
auth.info;authpriv.info;daemon.info 				@199.15.x.x
*.emerg 							@199.15.x.x

The following conf is with everything:

!radvd,routed,olsrd,zebra,ospfd,bgpd,miniupnpd
!ntp,ntpd,ntpdate
!ppp
!pptps
!poes
!l2tps
!racoon
!openvpn
!apinger
!dnsmasq,filterdns,unbound
!dhcpd,dhcrelay,dhclient
!relayd
!hostapd
!-ntp,ntpd,ntpdate,racoon,openvpn,pptps,poes,l2tps,relayd,hostapd,dnsmasq,filterdns,unbound,dhcpd,dhcrelay,dhclient,apinger,radvd,routed,olsrd,zebra,ospfd,bgpd,miniupnpd
!*
*.* 								@199.15.x.x

Finally, this is with all of the items selected manually:

!radvd,routed,olsrd,zebra,ospfd,bgpd,miniupnpd
!ntp,ntpd,ntpdate
!ppp
!pptps
!poes
!l2tps
!racoon
*.* 								@199.15.x.x
!openvpn
*.* 								@199.15.x.x
!apinger
*.* 								@199.15.x.x
!dnsmasq,filterdns,unbound
*.* 								@199.15.x.x
!dhcpd,dhcrelay,dhclient
*.* 								@199.15.x.x
!relayd
*.* 								@199.15.x.x
!hostapd
*.* 								@199.15.x.x
!-ntp,ntpd,ntpdate,racoon,openvpn,pptps,poes,l2tps,relayd,hostapd,dnsmasq,filterdns,unbound,dhcpd,dhcrelay,dhclient,apinger,radvd,routed,olsrd,zebra,ospfd,bgpd,miniupnpd
local0.* 							@199.15.x.x
local3.* 							@199.15.x.x
local4.* 							@199.15.x.x
local7.* 							@199.15.x.x
*.notice;kern.debug;lpr.info;mail.crit; 			@199.15.x.x
news.err;local0.none;local3.none;local7.none 			@199.15.x.x
security.* 							@199.15.249.61
auth.info;authpriv.info;daemon.info 				@199.15.x.x
*.emerg 							@199.15.x.x

cmcdonald

Any ideas? I'm still under the impression that this is a bug.

jimp

Do you have local logging disabled?

cmcdonald

@jimp:

Do you have local logging disabled?

Yes. Writing log files to the disk is disabled.

jimp

Does it give the correct remote behavior if you enable local logging?

cmcdonald

@jimp:

Does it give the correct remote behavior if you enable local logging?

Nope, when I enable local logging while keeping "System Events, Firewall Events, DHCP service events, etc. selected", the remote logging effectively stops. DHCPD events still get pushed through as well as some other services, but according to my firewall rules, PF should be pumping out messages like crazy. Something just isn't right here…

jimp

I was finally able to reproduce this, but it's odder than even you describe.

I can set it up and make no changes, and it works every other time I press Save.

Press Save, they work. Press Save, they stop. Press save, they work again. Press Save, they stop again. [Repeat]

And the same behavior happens whether I have "everything" checked or just the firewall events.

cmcdonald

@jimp:

I was finally able to reproduce this, but it's odder than even you describe.

I can set it up and make no changes, and it works every other time I press Save.

Press Save, they work. Press Save, they stop. Press save, they work again. Press Save, they stop again. [Repeat]

And the same behavior happens whether I have "everything" checked or just the firewall events.

Ah, yep you are correct! I probably didn't notice this because I was other time for me I was also switching between "Everything" and selecting individual settings… I'm glad that you are able to reproduce this issue! Hopefully we can get a fix soon :)

jimp

Tracked down the fix for this.

The tcpdump process that was logging from pf was being killed but not restarted as expected.

It'll be fixed in snapshots that pick up this commit (late today, tomorrow, etc): https://github.com/pfsense/pfsense/commit/32fb33927d51dd73ba9d0ef5b483efe66328c92c