Remote syslog: Everything doesn't mean it



  • I don't know if this is a new issue or not, but I've got a 1.2.3-snapshot (built on Tue Aug 11 15:23:31 EDT 2009) where I enabled "Everything" for remote syslog, but not everything actually makes it to the remove syslog server.

    For example, ipsec/racoon logs weren't making it.

    After selecting everything including Everything (system events, firewall events, DHCP service events, Portal Auth, VPN events, Everything) I'm now seeing ipsec/racoon messages as expected.

    Also, I also noticed that it had stopped sending out remote syslogs after we had an internal networking issue (our switch died) and it never started sending syslogs again until I re-saved the config.  Anyone ever see it do that before?



  • I had a similar experience with the latest snapshot.  In fact, checking "Everything" by itself sends nothing to my syslog daemon.


  • Rebel Alliance Developer Netgate

    It would help to see the contents of your /etc/syslog.conf before and after you have "everything" checked vs the options checked individually.



  • OK, here it is with just Everything checked:

    !ntpdate,!ntpd
    *.*						%/var/log/ntpd.log
    !apinger
    *.*						%/var/log/slbd.log
    !racoon
    *.*						%/var/log/ipsec.log
    !openvpn
    *.*						%/var/log/openvpn.log
    !-ntpd,racoon,openvpn
    local0.*					%/var/log/filter.log
    local3.*					%/var/log/vpn.log
    local4.*					%/var/log/portalauth.log
    local7.*					%/var/log/dhcpd.log
    *.notice;kern.debug;lpr.info;mail.crit; 	%/var/log/system.log
    news.err;local0.none;local3.none;local4.none; 	%/var/log/system.log
    local7.none					%/var/log/system.log
    security.*					%/var/log/system.log
    auth.info;authpriv.info;daemon.info		%/var/log/system.log
    local1.*					%/var/log/slbd.log
    auth.info;authpriv.info 			|exec /usr/local/sbin/sshlockout_pf
    *.emerg						*
    *.*		                                @10.2.1.13
    
    

    And here it is with everything and Everything checked:

    !ntpdate,!ntpd
    *.*						%/var/log/ntpd.log
    !apinger
    *.*						%/var/log/slbd.log
    !racoon
    *.*						%/var/log/ipsec.log
    *.*						@10.2.1.13
    !openvpn
    *.*						%/var/log/openvpn.log
    *.*						@10.2.1.13
    !-ntpd,racoon,openvpn
    local0.*					%/var/log/filter.log
    local3.*					%/var/log/vpn.log
    local4.*					%/var/log/portalauth.log
    local7.*					%/var/log/dhcpd.log
    *.notice;kern.debug;lpr.info;mail.crit; 	%/var/log/system.log
    news.err;local0.none;local3.none;local4.none; 	%/var/log/system.log
    local7.none					%/var/log/system.log
    security.*					%/var/log/system.log
    auth.info;authpriv.info;daemon.info		%/var/log/system.log
    local1.*					%/var/log/slbd.log
    auth.info;authpriv.info 			|exec /usr/local/sbin/sshlockout_pf
    *.emerg						*
    local0.*					@10.2.1.13
    local3.*					@10.2.1.13
    local4.*					@10.2.1.13
    local7.*					@10.2.1.13
    *.notice;kern.debug;lpr.info;mail.crit;		@10.2.1.13
    news.err;local0.none;local3.none;local7.none	@10.2.1.13
    security.*					@10.2.1.13
    auth.info;authpriv.info;daemon.info		@10.2.1.13
    *.emerg						@10.2.1.13
    *.*		                                @10.2.1.13
    
    


  • That's a new option to catch logs that the other options don't catch, which it does, but as far as truly catching everything it looks like I put that in the wrong place, I'll fix it when I get back from EuroBSDCon.
    http://redmine.pfsense.org/issues/show/91



  • This is fixed now.


Log in to reply