IPsec Logging levels can no longer be changed..

keyser · Nov 12, 2023, 5:38 PM

Just upgraded to 23.09 on my boxes, and i noted a MASSIVE increase in my SIEM logging from IPSec in pfSense.

After the upgrade all IPSec logging levels (under VPN -> IPSEC -> Advanced Settings) were returned to their defaults.
Those levels are far to noisy for our setup, so I tried dialing some of them down, but changes are not respected (or saved). When ever i return to the log settings, they are at default, and the actual logging is also at default regardless of what I do.

Can others confirm this behaviour?

keyser · Nov 15, 2023, 1:56 PM

@keyser No one?

michmoor · Nov 15, 2023, 2:57 PM

@keyser
if anything my logging for the IPsec process has gone down since the 23.09 update.
I keep my logging at the default settings.

keyser · Nov 15, 2023, 3:24 PM

@michmoor But that does not answer the question. Can you change/disable logging if you wanted to?
No settings are saved/applied when I try.

jimp · Nov 15, 2023, 4:41 PM

Looks like there may be a problem with the GUI display of log settings which are set to Audit which has an internal value of 0. When you change the setting and save, the proper value is stored into the config, but the function that reads it back out is getting confused by the 0 value because PHP's empty() behavior can be a bit boneheaded.

The following change should fix it:

diff --git a/src/etc/inc/ipsec.inc b/src/etc/inc/ipsec.inc
index 68bfad2243..44f3d85edc 100644
--- a/src/etc/inc/ipsec.inc
+++ b/src/etc/inc/ipsec.inc
@@ -1190,7 +1190,7 @@ function ipsec_get_loglevels() {
        $levels = array();
 
        foreach (array_keys($ipsec_log_cats) as $cat) {
-               if (!empty(config_get_path('ipsec/logging/' . $cat))) {
+               if (strlen(config_get_path('ipsec/logging/' . $cat)) > 0) {
                        $levels[$cat] = config_get_path('ipsec/logging/' . $cat);
                } elseif (in_array($cat, array('ike', 'chd', 'cfg'))) {
                        $levels[$cat] = "2";

EDIT: Redmine: https://redmine.pfsense.org/issues/14990

keyser · Nov 15, 2023, 4:44 PM

@jimp Hi Jimp. thanks for the insight and analysis. Will there be a patch for this in the patch tool?

jimp · Nov 15, 2023, 4:46 PM

@keyser said in IPsec Logging levels can no longer be changed..:

@jimp Hi Jimp. thanks for the insight and analysis. Will there be a patch for this in the patch tool?

Yes, eventually, might be next week or later, but you can add in a manual entry now (copy/paste that diff above) and apply it now if you don't want to wait.