Remote Syslog - Radius Auth sent as Emergency Event
-
Hello,
I am seeing that pfsense remote syslog treats a successful Radius authentication to the Admin console as an Emergency Event. It then sends this from the Auth facility. This is causing some issues for me with some outside monitoring services. Is there a known way to not classify successful auth as an Emergency event? I did try to disable the "General Authentication Events" option in the "Remote Syslog Contents" section but that did not prevent the issue.Thanks!
-
Can you show us exactly what you're seeing?
It's only doing this for radius auth? If you authenticate admin against a local account it logs as expected?
Steve
-
@stephenw10
I can see the issue with local auth as well.
I cannot post screenshots but when I do a pcap on the pfsense I can see these parameters set in the syslog message
0010 0... = Facility: AUTH - security/authorization messages (4)
.... .000 = Level: EMERG - system is unusable (0) -
Mmm, OK I see that:
User Datagram Protocol, Src Port: 514, Dst Port: 514 Syslog message: AUTH.EMERG: Oct 15 13:00:23 php-fpm[338]: /index.php: Successful login for user 'admin' from: 172.21.16.5 (Local Database) 0010 0... = Facility: AUTH - security/authorization messages (4) .... .000 = Level: EMERG - system is unusable (0) Message: Oct 15 13:00:23 php-fpm[338]: /index.php: Successful login for user 'admin' from: 172.21.16.5 (Local Database) Syslog timestamp (RFC3164): Oct 15 13:00:23 Syslog hostname: php-fpm[338]: Syslog process id: Syslog message id: /index.php: Successful login for user 'admin' from: 172.21.16.5 (Local Database)
But I'm not aware of any way to configure that. Certainly not in the gui.
That appears to be the FreeBSD default as far as I can see.You might try using the syslog-ng package to filter the log traffic. You can customise that far more.
Steve
-
@stephenw10
I think the issue is the "Level: EMERG" classification for a successful login from the "php-fpm" process.When I try an additional test by logging in via SSH, I don't see that same "Level: EMERG" get set, it shows an "Level: Info".
0010 0... = Facility: AUTH - security/authorization messages (4)
.... .110 = Level: INFO - informational (6)So for any users with external systems that may trigger on an EMERG syslog classification, SSH is not impacted in the same way GUI logins are.
I have not tried syslog-ng yet to see if this changes the behavior.
-
You could choose to send all logs to syslog-ng but then just not send any auth logs from there to your syslog server if it's causing a problem.
Steve
-
@stephenw10
Hi Stephen, Thanks for your responses and suggestions. I found that I have to disable both "System Events" and "General Authentication Events" under the "Remote Syslog Contents" section in order to prevent the message from being sent. So not ideal, since I would like to have those logs monitored but that's how I am running for now. Let me know if you know of a reason for the generation of the Level: EMERG. -
The syslog-ng package gives far more customization capability. If you send log through that you can almost certainly filter auth logs only.
In the past I have used it to proxy logs from the main pfSense logging and send them to a remote encrypted syslog server for example.You could probably even rewrite the message to auth.notice with the right syntax:
https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/59Steve
-
OK, using syslog-ng is fun and opens up a lot of options but.... it shouldn't be necessary!
I opened a bug for this and created a patch to log as Level NOTICE:
https://redmine.pfsense.org/issues/12464You can apply that diff against 2.5.2 using the System Patches package.
Steve