Questions about log messages
-
Are 10.28.92.22 and 10.28.92.243 your clients? Do they have the pfSense dashboard open all the time?
The only mitigation for this currently is to reduce what's logged and increase the log sizes. Though one of our devs is looking at this now.
-
@stephenw10 said in Questions about log messages:
Are 10.28.92.22 and 10.28.92.243 your clients? Do they have the pfSense dashboard open all the time?
The only mitigation for this currently is to reduce what's logged and increase the log sizes. Though one of our devs is looking at this now.
Both of the clients had the dashboard open while I was monitoring this. I closed one of them.
The messages going into the log from the GUI are very verbose and they should only be logged in a debugging mode. I didn't see any message that appeared to be an error.
Also, the SSH messages are going into both system / general and authentication. They should not be duplicated.
It would also be great if SNORT had its own log.
-
@bimmerdriver The GUI log is (just) the web server access log so it logs all requests.
Snort does have logs, the alerts are logged but also there’s a log tab on the Snort menu where one can pick one of several log files.
-
I used WireShark to check what's happening on the WAN side of pfSense. The pings are coming from the WAN, however, it appears that the addresses are getting mangled. The "5" is not present in the actual addresses. For example, the actual address for an address logged as "fe80:5::2a0:a50f:fcc3:d7ec" should be "fe80::2a0:a50f:fcc3:d7ec".
Also, looking at the GUI Service log, the messages are being logged at at least 1 Hz, up to 5 Hz. If I didn't know any better, I would suspect that someone left a debug flag set in the code.
Should I log these issues as bugs?
-
@bimmerdriver
re: the GUI log, web servers log all GET and POST etc. requests they receive. That’s how they track usage on the web site. To not have it log anything, don’t make requests, i.e. log out of pfSense and/or close your browser. What you’ve posted looks like normal web server log entries.https://redmine.pfsense.org/issues/12833
-
@SteveITS said in Questions about log messages:
https://redmine.pfsense.org/issues/12833
With all due respect, with so many messages going into the log, if an actual error happens, it will be lost. I can see that someone troubleshooting a problem or investigating a possible security breach might want to see every single request, but there should be an option to turn off non-critical messages.
-
@bimmerdriver That's all that log is. Errors aren’t logged to a web server access log. HTTP requests are. It could be used to, say, figure out which IP was logged in at what time and what pages they accessed.
-
@SteveITS said in Questions about log messages:
@bimmerdriver That's all that log is. Errors aren’t logged to a web server access log. HTTP requests are. It could be used to, say, figure out which IP was logged in at what time and what pages they accessed.
Okay, then there should be a setting to turn it off.
-
Add a note to that bug report.
It's more of an issue because sshguard spams the system log at rotation IMO.
-
@stephenw10 said in Questions about log messages:
Add a note to that bug report.
It's more of an issue because sshguard spams the system log at rotation IMO.
I updated that bug report and created another one for the mangled link-local addresses.
https://redmine.pfsense.org/issues/14692
