IPsec Logging levels can no longer be changed..

keyser

Just upgraded to 23.09 on my boxes, and i noted a MASSIVE increase in my SIEM logging from IPSec in pfSense.

After the upgrade all IPSec logging levels (under VPN -> IPSEC -> Advanced Settings) were returned to their defaults.
Those levels are far to noisy for our setup, so I tried dialing some of them down, but changes are not respected (or saved). When ever i return to the log settings, they are at default, and the actual logging is also at default regardless of what I do.

Can others confirm this behaviour?

keyser

@keyser No one?

michmoor

@keyser
if anything my logging for the IPsec process has gone down since the 23.09 update.
I keep my logging at the default settings.

keyser

@michmoor But that does not answer the question. Can you change/disable logging if you wanted to?
No settings are saved/applied when I try.

jimp

Looks like there may be a problem with the GUI display of log settings which are set to Audit which has an internal value of 0. When you change the setting and save, the proper value is stored into the config, but the function that reads it back out is getting confused by the 0 value because PHP's empty() behavior can be a bit boneheaded.

The following change should fix it:

diff --git a/src/etc/inc/ipsec.inc b/src/etc/inc/ipsec.inc
index 68bfad2243..44f3d85edc 100644
--- a/src/etc/inc/ipsec.inc
+++ b/src/etc/inc/ipsec.inc
@@ -1190,7 +1190,7 @@ function ipsec_get_loglevels() {
        $levels = array();
 
        foreach (array_keys($ipsec_log_cats) as $cat) {
-               if (!empty(config_get_path('ipsec/logging/' . $cat))) {
+               if (strlen(config_get_path('ipsec/logging/' . $cat)) > 0) {
                        $levels[$cat] = config_get_path('ipsec/logging/' . $cat);
                } elseif (in_array($cat, array('ike', 'chd', 'cfg'))) {
                        $levels[$cat] = "2";

EDIT: Redmine: https://redmine.pfsense.org/issues/14990

keyser

@jimp Hi Jimp. thanks for the insight and analysis. Will there be a patch for this in the patch tool?

jimp

@keyser said in IPsec Logging levels can no longer be changed..:

@jimp Hi Jimp. thanks for the insight and analysis. Will there be a patch for this in the patch tool?

Yes, eventually, might be next week or later, but you can add in a manual entry now (copy/paste that diff above) and apply it now if you don't want to wait.