Sed stream editor on the filter.log file

WhoAmI68

Hi all.
I am using this sed stream editor "sed -i '' '/65.20.170.33/d' /var/log/filter.log" to delete the match line from the filter.log file. It is working fine, but after this, there is no new entry in the firewall logs. Immediately after rebooting PF, it will start writing a new entry.
Can anyone tell me why this is happening or How can I fix it?
I do not use ssh, I only use the GIU command promt.
Sometimes I just need to delete an IP address from the filter logs.

For example, if I use the truncate -s 0 /var/log/filter.log, it is working fine but it is sezo size. In any case, there is no need for a restart system.
Thanks for help.

bmeeks

Probably because your sed session- when it finishes editing and re-writing the file's contents- is closing the open file handle that syslog was using. The truncate command simply zeros out the file size while maintaining the currently open file handle (the one used by syslog within pfSense).

Rebooting pfSense causes syslog to open a new file handle. You could accomplish the same thing by restarting just the syslog daemon when you finish with your sed edits.

This is a common complication when trying to fiddle with files that operating system daemons are continuously writing to. If you close out the open file handle, the OS daemon will lose access to the file. Most are not expecting such a thing to happen to them and thus do not have any automatic remediation.

shanahan

@WhoAmI68 uno online said in Sed stream editor on the filter.log file:

Hi all.
I am using this sed stream editor "sed -i '' '/65.20.170.33/d' /var/log/filter.log" to delete the match line from the filter.log file. It is working fine, but after this, there is no new entry in the firewall logs. Immediately after rebooting PF, it will start writing a new entry.
Can anyone tell me why this is happening or How can I fix it?
I do not use ssh, I only use the GIU command promt.
Sometimes I just need to delete an IP address from the filter logs.

For example, if I use the truncate -s 0 /var/log/filter.log, it is working fine but it is sezo size. In any case, there is no need for a restart system.
Thanks for help.

Ensure that your user account has the necessary write permissions to the filter.log file. If you don't have write permissions, the firewall might not be able to append new entries.
Use the ls -l /var/log/filter.log command to check the file permissions. If you don't have write permission, use sudo to gain elevated privileges and modify the permissions accordingly.

WhoAmI68

@shanahan It is an admin account. Permission is the same after use sed.

Gertjan

@WhoAmI68 said in Sed stream editor on the filter.log file:

I am using this sed stream editor "sed -i '' '/65.20.170.33/d' /var/log/filter.log" to delete the match line from the filter.log file.

sed reads the file, 'seds' it and rewrites the same file ?

But what about this ?
AFAIK : can syslog 'grep' what it is outputting ? Thus filtering the messages. ?
If so, have a look at where /etc/syslog.conf is created, add your grep instructions and call it a day ?