pfBlockerNG crontab-based restart causes SyslogNG restart: SyslogNG sends the same entire log file each time to my SIEM

mauro.tridici

Dear Users,

I installed and configured pfBlockerNG on my pfSense v.2.6 instance.
It works very well, it is an interesting tool, but I have a problem.

I set pfBlocker-NG cron settings to "daily at 02:00 a.m." in order to allow pfBlocker-NG to "update" itself.
Unfortunately, every day at 02:00 a.m. SYSLOG-NG seems to be restarted by pfBlocker-NG.

When Syslog-NG is restarted, it sends the same entire log file to my SIEM creating an unexpected behaviour.
A lot of logs (already sent before) are again sent with a wrong timestamp:

2023-07-03T00:00:08+02:00 pfSense - Jul 2 23:19:36 ...
2023-07-03T00:00:08+02:00 pfSense - Jul 2 23:21:37 ...
2023-07-03T00:00:08+02:00 pfSense - Jul 2 23:22:24 ...
2023-07-03T00:00:08+02:00 pfSense - Jul 2 23:24:13 ...
2023-07-03T00:00:08+02:00 pfSense - Jul 2 23:25:18 ...
2023-07-03T00:00:08+02:00 pfSense - Jul 2 23:25:20 ...
2023-07-03T00:00:08+02:00 pfSense - Jul 2 23:25:41 ...
2023-07-03T00:00:08+02:00 pfSense - Jul 2 23:29:12 ...
2023-07-03T00:00:08+02:00 pfSense - Jul 2 23:32:32 ...
2023-07-03T00:00:08+02:00 pfSense - Jul 2 23:34:29 ...
2023-07-03T00:00:08+02:00 pfSense - Jul 2 23:34:55 ...
2023-07-03T00:00:08+02:00 pfSense - Jul 2 23:36:20 ...
2023-07-03T00:00:08+02:00 pfSense - Jul 2 23:37:11 ...

Side effect: my SIEM sends a lot of useless alerts.

Anyone of you knows how to fix it?

Thank you in advance.
Mauro

stephenw10

Usually when you see the log restart like that it's because it fills and rotates. You might try simply increasing the log file size to prevent that.

mauro.tridici

Hello @stephenw10 ,

thank you for your reply.
Unfortunately, I don't think the problem is due to log-rotate (anyway, changing the file size, would postpone the problem, but would not solve it)
The event occurs every day at the exact same time. And it coincides with the one shown in the following screenshot.

To update the blacklists and to apply the daily updates of pfBlockerNG, I am forced to leave that setting on.
I might consider turning it off, but I would lose all the important updates.
I noticed that there are other users on the forum who have the same problem, but don't know how to solve it.

Do you have any ideas?

Thank you very much,
Mauro

stephenw10

You are using syslog-ng locally on pfSense to export to your external syslog server?

It's the sysog-ng service that's restarting?

mauro.tridici

Hello @stephenw10 ,

yes I'm using syslog-ng locally on pfSense to export logs to the SIEM.
I don't know why, but it seems that when pfBlockerNG restarts automatically at 00:00 also syslog-ng is restarted.

And this is the cause of duplicate logs sending.
Is there a way to fix this behavior?

Thank you,
Mauro

stephenw10

Why are you using syslog-ng rather than exporting directly?

What shown in the logs when pfBlocker updates and syslog-ng restarts?

mauro.tridici

I don't know how to export logs from pfblockerng "directly" without using syslog-ng.
I followed the instructions contained in this conversation:

https://forum.netgate.com/topic/180605/how-to-send-pfblockerng-logs-to-remote-log-server-wazuh-siem

This is what I see in the pfBlockerng logs during the update:

CRON PROCESS START [ v3.2.0_4 ] [ 07/5/23 00:00:00 ]
[ compromised_v4 ]
Remote timestamp: Tue, 4 Jul 2023 21:13:10 GMT
Local timestamp: Mon, 3 Jul 2023 18:46:18 GMT Update found
UPDATE PROCESS START [ v3.2.0_4 ] [ 07/5/23 00:00:04 ]

===[ DNSBL Process ]================================================

===[ GeoIP Process ]============================================

[ pfB_Top_v4 ] exists. [ 07/5/23 00:00:05 ]

===[ IPv4 Process ]=================================================

[ ip_cred_theft_custom_v4 ] exists.
[ compromised_v4 ] Downloading update .. 200 OK. completed ..

Aggregation Stats:

Original Final

403 402

===[ Aliastables / Rules ]==========================================

No changes to Firewall rules, skipping Filter Reload

Updating: pfB_compromised_v4
18 addresses added.19 addresses deleted.

UPDATE PROCESS ENDED [ 07/5/23 00:00:09 ]

And this is the SYSLOG-NG log file content:

Jul 5 00:00:00 pfSense_LAN syslog-ng[22079]: Configuration reload finished;
Jul 5 00:00:00 pfSense_LAN syslog-ng[22079]: Configuration reload request received, reloading configuration;
Jul 5 00:00:14 pfSense_LAN syslog-ng[22079]: The current log file has a mismatching size/inode information, restarting from the beginning; state='affile_sd_curpos(/var/log/pfblockerng/ip_block.log)', stored_inode='944', cur_file_inode='1286', stored_size='3361864', cur_file_size='3202961', raw_stream_pos='3361716'

stephenw10

Ah for the pfBlocker logs, I see.

If syslog-ng is watching the pfBlocker log file and that is rotated then I would expect that. It appears syslog-ng is seeing the file has changed and restarts and then presumably resends everything from that file?

mauro.tridici

Yes, that's exactly what happens.
To avoid this behaviour, I should disable pfBlockerNG daily update (and restart), but I think it is not good practice.

Do you think there is a workaround to solve this issue?

stephenw10

I'm not aware of anything to workaround that.

Are you running 2.6? Have you tested this in 2.7?

mauro.tridici

Yes, Steve. I'm running pfSense v.2.6
I can try to test the 2.7.
I will take a look at 2.7 changelog file as well.

mauro.tridici

Hello @stephenw10 ,

this is to inform you that I solved the issue adding this line in the "cron" case statement in "/usr/local/www/pfblockerng/pfblockerng.php" file:

exec("cat /dev/null > /var/log/pfblockerng/ip_block.log");
exec("cat /dev/null > /var/log/pfblockerng/unified.log");

I hope there is no side effect :)

Have a great day,
Mauro

stephenw10

Cool, if that works for you I would expect any issues. Since you're exporting all the logs you don't need them locally.