Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfBlockerNG crontab-based restart causes SyslogNG restart: SyslogNG sends the same entire log file each time to my SIEM

    Scheduled Pinned Locked Moved General pfSense Questions
    13 Posts 2 Posters 920 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mauro.tridici
      last edited by

      Dear Users,

      I installed and configured pfBlockerNG on my pfSense v.2.6 instance.
      It works very well, it is an interesting tool, but I have a problem.

      I set pfBlocker-NG cron settings to "daily at 02:00 a.m." in order to allow pfBlocker-NG to "update" itself.
      Unfortunately, every day at 02:00 a.m. SYSLOG-NG seems to be restarted by pfBlocker-NG.

      When Syslog-NG is restarted, it sends the same entire log file to my SIEM creating an unexpected behaviour.
      A lot of logs (already sent before) are again sent with a wrong timestamp:

      2023-07-03T00:00:08+02:00 pfSense - Jul 2 23:19:36 ...
      2023-07-03T00:00:08+02:00 pfSense - Jul 2 23:21:37 ...
      2023-07-03T00:00:08+02:00 pfSense - Jul 2 23:22:24 ...
      2023-07-03T00:00:08+02:00 pfSense - Jul 2 23:24:13 ...
      2023-07-03T00:00:08+02:00 pfSense - Jul 2 23:25:18 ...
      2023-07-03T00:00:08+02:00 pfSense - Jul 2 23:25:20 ...
      2023-07-03T00:00:08+02:00 pfSense - Jul 2 23:25:41 ...
      2023-07-03T00:00:08+02:00 pfSense - Jul 2 23:29:12 ...
      2023-07-03T00:00:08+02:00 pfSense - Jul 2 23:32:32 ...
      2023-07-03T00:00:08+02:00 pfSense - Jul 2 23:34:29 ...
      2023-07-03T00:00:08+02:00 pfSense - Jul 2 23:34:55 ...
      2023-07-03T00:00:08+02:00 pfSense - Jul 2 23:36:20 ...
      2023-07-03T00:00:08+02:00 pfSense - Jul 2 23:37:11 ...

      Side effect: my SIEM sends a lot of useless alerts.

      Anyone of you knows how to fix it?

      Thank you in advance.
      Mauro

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Usually when you see the log restart like that it's because it fills and rotates. You might try simply increasing the log file size to prevent that.

        M 1 Reply Last reply Reply Quote 0
        • M
          mauro.tridici @stephenw10
          last edited by

          Hello @stephenw10 ,

          thank you for your reply.
          Unfortunately, I don't think the problem is due to log-rotate (anyway, changing the file size, would postpone the problem, but would not solve it)
          The event occurs every day at the exact same time. And it coincides with the one shown in the following screenshot.

          Screenshot 2023-07-04 at 09.57.22.png

          To update the blacklists and to apply the daily updates of pfBlockerNG, I am forced to leave that setting on.
          I might consider turning it off, but I would lose all the important updates.
          I noticed that there are other users on the forum who have the same problem, but don't know how to solve it.

          Do you have any ideas?

          Thank you very much,
          Mauro

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            You are using syslog-ng locally on pfSense to export to your external syslog server?

            It's the sysog-ng service that's restarting?

            M 1 Reply Last reply Reply Quote 0
            • M
              mauro.tridici @stephenw10
              last edited by

              Hello @stephenw10 ,

              yes I'm using syslog-ng locally on pfSense to export logs to the SIEM.
              I don't know why, but it seems that when pfBlockerNG restarts automatically at 00:00 also syslog-ng is restarted.

              And this is the cause of duplicate logs sending.
              Is there a way to fix this behavior?

              Thank you,
              Mauro

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Why are you using syslog-ng rather than exporting directly?

                What shown in the logs when pfBlocker updates and syslog-ng restarts?

                M 1 Reply Last reply Reply Quote 0
                • M
                  mauro.tridici @stephenw10
                  last edited by

                  I don't know how to export logs from pfblockerng "directly" without using syslog-ng.
                  I followed the instructions contained in this conversation:

                  https://forum.netgate.com/topic/180605/how-to-send-pfblockerng-logs-to-remote-log-server-wazuh-siem

                  This is what I see in the pfBlockerng logs during the update:

                  CRON PROCESS START [ v3.2.0_4 ] [ 07/5/23 00:00:00 ]
                  [ compromised_v4 ]
                  Remote timestamp: Tue, 4 Jul 2023 21:13:10 GMT
                  Local timestamp: Mon, 3 Jul 2023 18:46:18 GMT Update found
                  UPDATE PROCESS START [ v3.2.0_4 ] [ 07/5/23 00:00:04 ]

                  ===[ DNSBL Process ]================================================

                  ===[ GeoIP Process ]============================================

                  [ pfB_Top_v4 ] exists. [ 07/5/23 00:00:05 ]

                  ===[ IPv4 Process ]=================================================

                  [ ip_cred_theft_custom_v4 ] exists.
                  [ compromised_v4 ] Downloading update .. 200 OK. completed ..

                  Aggregation Stats:

                  Original Final

                  403 402

                  ===[ Aliastables / Rules ]==========================================

                  No changes to Firewall rules, skipping Filter Reload

                  Updating: pfB_compromised_v4
                  18 addresses added.19 addresses deleted.

                  UPDATE PROCESS ENDED [ 07/5/23 00:00:09 ]

                  And this is the SYSLOG-NG log file content:

                  Jul 5 00:00:00 pfSense_LAN syslog-ng[22079]: Configuration reload finished;
                  Jul 5 00:00:00 pfSense_LAN syslog-ng[22079]: Configuration reload request received, reloading configuration;
                  Jul 5 00:00:14 pfSense_LAN syslog-ng[22079]: The current log file has a mismatching size/inode information, restarting from the beginning; state='affile_sd_curpos(/var/log/pfblockerng/ip_block.log)', stored_inode='944', cur_file_inode='1286', stored_size='3361864', cur_file_size='3202961', raw_stream_pos='3361716'

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    Ah for the pfBlocker logs, I see.

                    If syslog-ng is watching the pfBlocker log file and that is rotated then I would expect that. It appears syslog-ng is seeing the file has changed and restarts and then presumably resends everything from that file?

                    M 1 Reply Last reply Reply Quote 0
                    • M
                      mauro.tridici @stephenw10
                      last edited by

                      Yes, that's exactly what happens.
                      To avoid this behaviour, I should disable pfBlockerNG daily update (and restart), but I think it is not good practice.

                      Do you think there is a workaround to solve this issue?

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        I'm not aware of anything to workaround that.

                        Are you running 2.6? Have you tested this in 2.7?

                        M 1 Reply Last reply Reply Quote 0
                        • M
                          mauro.tridici @stephenw10
                          last edited by

                          Yes, Steve. I'm running pfSense v.2.6
                          I can try to test the 2.7.
                          I will take a look at 2.7 changelog file as well.

                          M 1 Reply Last reply Reply Quote 0
                          • M
                            mauro.tridici @mauro.tridici
                            last edited by

                            Hello @stephenw10 ,

                            this is to inform you that I solved the issue adding this line in the "cron" case statement in "/usr/local/www/pfblockerng/pfblockerng.php" file:

                            exec("cat /dev/null > /var/log/pfblockerng/ip_block.log");
                            exec("cat /dev/null > /var/log/pfblockerng/unified.log");

                            I hope there is no side effect :)

                            Have a great day,
                            Mauro

                            1 Reply Last reply Reply Quote 1
                            • stephenw10S
                              stephenw10 Netgate Administrator
                              last edited by

                              Cool, if that works for you I would expect any issues. Since you're exporting all the logs you don't need them locally.

                              1 Reply Last reply Reply Quote 1
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.