Remote Logging Issues
-
I updated the 2.1 (i386) machine to 2.1.2 yesterday and still no joy.
At first I thought the <dhcp>was being left in the <syslog>section of the config when turning of DHCP logging but that turned out not to be the case. Whether that is present or not, the remote syslog is still filling up with dhcpd entries. Tried rebooting pfSense after changing the setting, still no change.
Any ideas on where to start looking for the problem?</syslog></dhcp>
-
I am on 2.2, so the problem might not be there. But look in /var/etc/syslog.conf, with DHCP remote syslog on, this file looks like:
!radvd,routed,olsrd,zebra,ospfd,bgpd,miniupnpd *.* %/var/log/routing.log !ntp,ntpd,ntpdate *.* %/var/log/ntpd.log !ppp *.* %/var/log/ppp.log !pptps *.* %/var/log/pptps.log !poes *.* %/var/log/poes.log !l2tps *.* %/var/log/l2tps.log !charon *.* %/var/log/ipsec.log !openvpn *.* %/var/log/openvpn.log !apinger *.* %/var/log/gateways.log !dnsmasq,filterdns,unbound *.* %/var/log/resolver.log !dhcpd,dhcrelay,dhclient *.* %/var/log/dhcpd.log !relayd *.* %/var/log/relayd.log !hostapd *.* %/var/log/wireless.log !-ntp,ntpd,ntpdate,charon,openvpn,pptps,poes,l2tps,relayd,hostapd,dnsmasq,filterdns,unbound,dhcpd,dhcrelay,dhclient,apinger,radvd,routed,olsrd,zebra,ospfd,bgpd,miniupnpd local0.* %/var/log/filter.log local3.* %/var/log/vpn.log local4.* %/var/log/portalauth.log local7.* %/var/log/dhcpd.log *.notice;kern.debug;lpr.info;mail.crit;daemon.none; %/var/log/system.log news.err;local0.none;local3.none;local4.none; %/var/log/system.log local7.none %/var/log/system.log security.* %/var/log/system.log auth.info;authpriv.info;daemon.info %/var/log/system.log auth.info;authpriv.info |exec /usr/local/sbin/sshlockout_pf 15 *.emerg * local7.* @10.49.208.111The last line disappears when I uncheck "DHCP service events"
Would be good to know if that is happening on 2.1.2 - that will help decide if there is a conf file processing issue, or something else. -
Looking at /var/etc/syslog.conf on 2.1.2, there is no change to the dhcp services section when you toggle it off/on. The remote syslog server is never removed.
!dhcpd,dhcrelay,dhclient *.* %/var/log/dhcpd.log *.* @192.168.1.52I have tried editing the file and removing the line with the remote syslog server. However, it keeps getting added back in when you toggle "Send log messages to remote syslog server" off/on, even with dhcp services unchecked.
–-
EDIT: Just tried this on 2.2 and the remote syslog server gets added to the dhcp services, even with it being unchecked.
Bug filed: https://redmine.pfsense.org/issues/3613
-
I just tried on a 2.1.2 system.
*.* @192.168.1.52That type of line only comes when I have "Everything" checked.
What exact things to you have checked/unchecked to get what you are reporting?
And what sequence of actions?
A screenshot would be helpful, so I can try to reproduce what you are seeing. -
Very straight forward to reproduce. I did this on a clean 2.2 VM install that never had remote syslog configured.
Status: System logs: Settings
- Check "Enable Remote Logging"
- Add a server IP address to "Remote Syslog Servers"
- Under "Remote Syslog Contents" just select "System Events", as an example.
- Save
Note: At no time did I ever select "Everything"
When you view var/etc/syslog.conf the remote syslog server has been added to the dhcp services.
!dhcpd,dhcrelay,dhclient *.* %/var/log/dhcpd.log *.* @192.168.1.52That @192.168.1.52 entry should not be there unless you have "DHCP service events" ticked.
I attached a screen shot (from my live 2.1.2 install). DHCP is not selected, but it is getting configured for remote sysloging.
-
Same thing here.
On my 2.1.2 system I can't enable DHCP Service Events. "Everything" is not checked and there is no change to /var/etc/syslog.conf when toggling DHCP Service Events.
!dhcpd,dhcrelay,dhclient *.* %/var/log/dhcpd.logOn my friend's 2.1.2 system I can't disable DHCP Service Events. Again, no change to /var/etc/syslog.conf when toggling and Everything is unchecked.
!dhcpd,dhcrelay,dhclient *.* %/var/log/dhcpd.log *.* @10.0.1.3 -
It is just an ordinary cut-and-paste bug in the code.
This fix for 2.1.2: https://github.com/pfsense/pfsense/pull/1119
And for master branch (to fix it in 2.2 onwards): https://github.com/pfsense/pfsense/pull/1118 -
Thanks, Phil.
Can that just be edited in a running system or will it get over-written with a reboot?
-
Just having a look at the system.inc on my machine.
Does the chunk of code immediately above that (DNS?) have the same problem?
-
Since it is a 1-liner, you could just make the edit direct on your system - Diagnostics->Edit, type in the file name, Load, findthe line, change it, press save - but don't stuff up otherwise your system will really be broken, since /etc/inc/system.inc is included by pretty much everything, if you introduce a syntax error then the whole webGUI will be broken, and PHP shutdown/reboot script…!!!
Otherwise wait until it is committed and use System Patches package to apply it. That way the edit is automated and there is a record on your system of what has been changed.
Yes, the DNS chunk of code has a similar problem. But there did not seem to actually be an option on the webGUI to turn on/off DNS "resolver" remote syslog. I couldn't work out what string was actually needed there. It might be a completely missing piece of webGUI functionality also. I made a note in the master commit about that so one of the devs can sort it out.
-
I used Filezilla and Notepad++. Seems to have worked fine. Now to stop the DHCP entries in friend's syslog.
Yeah, I noticed there was no GUI check box for that. If it isn't broken…
Thanks again.