Are these logs normal under OS Account Changes?

rasputinthegreatest

Hey guys. I am trying to find information if these logs under "OS Account Changes" are nornal on a fresh pfSense install? Especially the "2025-02-15 12:34:10 [unknown:groupmod] admins(1999)
2025-02-19 16:00:52 [unknown:userdel] admin(0) account removed" Any help is appreciated.

2023-12-06 21:12:27 [root:groupadd] cyrus(60)
2023-12-06 21:12:27 [root:useradd] cyrus(60):cyrus(60):the cyrus mail server:/nonexistent:/usr/sbin/nologin
2023-12-06 21:12:30 [root:groupadd] messagebus(556)
2023-12-06 21:12:30 [root:useradd] messagebus(556):messagebus(556):D-BUS Daemon User:/nonexistent:/usr/sbin/nologin
2023-12-06 21:12:32 [root:groupadd] openvpn(301)
2023-12-06 21:12:32 [root:useradd] openvpn(301):openvpn(301):OpenVPN pseudo-user:/nonexistent:/usr/sbin/nologin
2023-12-06 21:12:32 [root:groupadd] dhcpd(136)
2023-12-06 21:12:32 [root:useradd] dhcpd(136):dhcpd(136):ISC DHCP daemon:/nonexistent:/usr/sbin/nologin
2025-02-15 13:04:29 [unknown:groupadd] all(1998)
2025-02-15 13:04:29 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
2025-02-15 13:04:29 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
2025-02-15 13:04:29 [unknown:useradd] admin(0) home /root made
2025-02-15 13:04:29 [unknown:groupmod] all(1998)
2025-02-15 13:04:29 [unknown:groupadd] admins(1999)
2025-02-15 12:09:47 [root:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
2025-02-15 12:09:47 [root:usermod] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
2025-02-15 12:34:09 [unknown:userdel] admin(0) account removed
2025-02-15 12:34:09 [unknown:groupmod] all(1998)
2025-02-15 12:34:09 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
2025-02-15 12:34:09 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
2025-02-15 12:34:09 [unknown:useradd] admin(0) home /root made
2025-02-15 12:34:10 [unknown:groupmod] all(1998)
2025-02-15 12:34:10 [unknown:groupmod] admins(1999)
2025-02-19 16:00:52 [unknown:userdel] admin(0) account removed
2025-02-19 16:00:52 [unknown:groupmod] all(1998)
2025-02-19 16:00:52 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
2025-02-19 16:00:52 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
2025-02-19 16:00:52 [unknown:useradd] admin(0) home /root made
2025-02-19 16:00:52 [unknown:groupmod] all(1998)
2025-02-19 16:00:52 [unknown:groupmod] admins(1999)

It also says under OS User Events

 still logged in 		ttyv0 	root 

stephenw10

Where are you seeing that log? Which pfSense version?

Edit: Ah I see. Yes, those are normal. In pfSense all the users and groups are re-created at each boot.

ttyv0 is just the local console, so that's also expected.

rasputinthegreatest

@stephenw10 Hey thanks a lot for the answer. I thought so too but wanted to make sure :)

rasputinthegreatest

This post is deleted!

stephenw10

Something in your network to connecting to those for DNS. It could be unbound in pfSense directly if those are the servers for some domain a client is trying to resolve. It's unlikely to be a problem.

You could check the state table to see if any internal clients are connecting to it directly.