25.07 unbound - pfblocker - python - syslog

jrey

Since the update to 25.07 when unbound restarts -- pfb_unbound.py (python mode) and with syslog enabled -

messages that are sent with the log_info function are duplicated (sent twice) to the syslog
all messages are identified as application "unbound"

the issue is that event rules that look for certain items are thinking for example that unbound has started twice, and that someone should be notified as one example..

(there are many admin type messages that use the log_info function inside the pfp_unbound.py - and other related code - these messages are all duplicated

you can see below filtered "start" message - before the update 1.22.0 (one message)
after the update 1.23.0 (duplicates of every time stamp)

from what I can gather - the problem may have been introduced in python 3.11 and default syslog handling from python - haven't found a reasonable solution.

Screenshot 2025-08-07 at 3.00.22 PM.png

Before Update (24.11)
Screenshot 2025-08-07 at 3.20.20 PM.png

After Update (25.07)
Screenshot 2025-08-07 at 3.21.39 PM.png

jrey

Screenshot 2025-08-07 at 3.34.01 PM.png

I should likely point out that filterdns messages for example are not duplicated, only those from unbound.

stephenw10

Hmm, so you only see this when you have Python mode enabled? And presumably only for events triggered by pfBlocker using Python mode?

jrey

@stephenw10

perhaps not just python mode --

the "start of service" message for example is duplicated and is found in this binary file

fgrep -r "start of service" ./*
Binary file ./sbin/unbound matches

the summaries that are duplicated are located in

 fgrep -r "lower(secs) upper" ./*
Binary file ./lib/libunbound.so.8.1.31 matches
Binary file ./lib/libunbound.a matches
Binary file ./sbin/unbound-control matches
Binary file ./sbin/unbound-checkconf matches
Binary file ./sbin/unbound matches

another line that is duplicated is found in

fgrep -r "histogram of recursion processing times" ./*
Binary file ./lib/libunbound.so.8.1.31 matches
Binary file ./lib/libunbound.a matches
Binary file ./sbin/unbound-control matches
Binary file ./sbin/unbound-checkconf matches
Binary file ./sbin/unbound matches

also found that application name filterdns, also logged some duplicates,
specifically the ones related to Adding Action
seems to come from here:

fgrep -r "Adding Action" ./*
Binary file ./sbin/filterdns matches

the only messages the I have source to at the moment is the messages that come from specifically log_info in pfb_unbound.py

so messages like "init_standard script loaded" and "pfb_unbound.py script existing" are all generated with a call to log_info

interesting enough none of these messages where duplicated before the upgrade.
Also interesting to note that I modified pfb_unbound.py as an easy test and immediately prior to the line logging "pfb_unbound.py script loaded". I added 3 lines
log_info('Bob')
log_info('is your')
log_info('uncle')

I got 6 lines in the syslog file
Bob
Bob
is your
is your
uncle
uncle

what got me thinking python only (and it still could be) is the duplication of the message pfb_unbound.py exiting / loading as the case may be.

Several web articles indicate that "duplicate syslog messages in Python can occur when multiple handlers are attached to the same logger or when log messages propagate through multiple loggers"
Not sure I have control of the binaries to find out what handlers are involved, but there is a further suggestion to ensure you only have one handler for each logger or adjust the propagate setting to prevent redundancy.

other stuff areas I am sending to syslog from the netgate, don't seem to be doubling up.
mostly unbound and the few that are coming from filterdns as discussed above.

I haven't specifically tried without python mode at this point either

Gertjan

@jrey

When you disable pfBlockerng and/or disable Pyhton mode, both in pfBlockerng and unbound, the unbound log lines keep on doubling ?
If, it's unbound doping the double log.

Nothing in the GUI "Custom options" (unbound) ?

jrey

@stephenw10

Seems more interesting this morning.

Early morning Friday 1:30am our graylog server shuts itself down, does some maintenance and starts back up (usually takes < 5 minutes). - not a issue previously - system would come back up and logging would resume as normal.

Got going this morning with this

Screenshot 2025-08-08 at 6.10.57 AM.png

Screenshot 2025-08-08 at 6.12.07 AM.png

nothing from the netgate logged since and until I restarted both syslog and unbound

a down syslog server should not be stopping the service - that seem wrong.

makes me think syslog itself is having issues (or perhaps this as a result of the handlers not playing nice in unbound.

Note: note other systems that log to the same graylog server, worked as expected. That is simply resumed/continued spewing as soon as the system came back online.

jrey

Observation - from a netgate reboot

the messages identified as kernel are not duplicated.

there are then 2 messages from sshguard (looks like this could be a duplicate)
next message is from check_reload_status - this is NOT duplicated.
next messages are from filterdns "Adding Action" these are all duplicated
then there is a message from php-frm (rc.start ... ) NOT Duplicated
then a couple of messages from apcupsd - NOT Duplicated
then a couple more from check_reload_status - NOT Duplicated
one from root. - Boot up Complete - NOT duplicated
the more from filterdns (more perhaps still continuing) "Adding Action" ALL duplicated
then a single kernel "done" message
then two from login (seem like a duplicate)
then two from php-frm (Successful Login ... not sure have to track it down in the local log)
then one from ntpd (NOT duplicated)
then one from syslogd (NOT duplicated)
then unbound messages start (All messages are Duplicated)

In the case of filterdns and unbound the local log file only has a single entry - that's likely true of the others that are duplicated (but I have not checked each case) --

After the netgate was running running - I shutdown the remote syslog server as a test)
the syslogd service stopped again on the netgate.

this is what I am sending to syslog

Screenshot 2025-08-08 at 8.18.49 AM.png

jrey

Restarted ntpd (because why not) - all logged no duplicates in syslog,

Seems the only thing actually duplicating messages might be filterdns and unbound.
none of the duplicated messages in syslog appear in the local source log file.

to answer @Gertjan it seems less likely to be related specifically to python mode and/or pfblocker specifically because well. filterdns comes up first according to the sequence noted above and filterdns messages are duplicated right from the start, unbound enters the startup logging sequence later and they are duplicated with the first message.

syslog service abruptly stopping if the logging server goes away is also a big problem, it shouldn't do that.

my next test, when I have time, will be to uncheck the logging for unbound / filterdns - then restart the syslog server to see if doing that still brings the syslog service on the netgate to a stop.

stephenw10

Hmm, are the logs duplicated both locally and in the remote syslog server?

It 'feels' like maybe Unbound is sending logs independently as well as the local syslogd service. Though I've never seen that before. Or have any idea how it could happen.

I agree the remote syslog server temporarily going down should not stop the service sending. Can you see open states for it when it fails? Is it in a local subnet? In the ARP table?

Gertjan

@jrey

What happens when you temporary select :

?

jrey

said in 25.07 unbound - pfblocker - python - syslog:

In the case of filterdns and unbound the local log file only has a single entry -

They are only duplicated in the syslog not the local file.

@stephenw10 said in 25.07 unbound - pfblocker - python - syslog:

Or have any idea how it could happen.

the only thing, I can think of is that (supported by many web articles) comes back to a problem with the handlers

said in 25.07 unbound - pfblocker - python - syslog:

"duplicate syslog messages in Python can occur when multiple handlers are attached to the same logger or when log messages propagate through multiple loggers"

I would imagine that it is perhaps not only a python issue, but rather a problem with the way these two application (filterdns and unbound) are initializing their log handlers ?.

jrey

@Gertjan

Not sure why that would make any difference since the only ones selected are for the services running on the netgate.

the unselected ones have never been selected, no point. these are not used
Netgate Nexus - not used
DHCP (is not running at all on the netgate, never has, DHCP is handled on a different server)
PPP - not used
Captive Portal - Not used.
Routing Daemon Events - Not used
Wireless - not used

in fact the associated local files (for example dhcp.log, wireless.log, ppp.log etc and the others are all zero bytes on disk).

I can add this to the list of things to try however, Thanks

jrey

@stephenw10

Step 1: uncheck logging for DNS Events (nothing bad happened)
Step 2: stop the syslog server machine (nothing bad happened)
Step 3: force a restart of ntpd because this would generate logging to the now offline server. (nothing bad happened (syslogd did not stop running)
Step 4: start syslog server machine
Step 5: force another restart of ntpd (nothing logged to syslog) it says the syslog is running (there is a entry in the arp table, and states exist)
Step 6: restart syslogd - logging starts (maybe if I had waited longer before doing this restart it may have eventually stopped the service)
Step 7: restart ntpd - now logs the startup on the syslog (no duplicates here never have been)
Step 8: recheck the logging for DNS events (nothing changes)
Step 9: restart unbound (unbound and startup messages as noted above all duplicated)

It seems it is a "new feature" in 25.07 for sure.

Guess I have to spin up a version 2.8 virtual and see if I can recreate it there.
It is pretty basic logging -
My test 2.7 version still works as expected.

I guess I could also reboot back to the boot environment - but it was working fine there, so likely a waste of time. All I have to do is look back to the syslog history and I can see the messages are not duplicated before the update.

stephenw10

@jrey said in 25.07 unbound - pfblocker - python - syslog:

Step 5: force another restart of ntpd (nothing logged to syslog) it says the syslog is running (there is a entry in the arp table, and states exist)

It still logs locally though? Just not sending to the remote syslog server?

jrey

said in 25.07 unbound - pfblocker - python - syslog:

Everything ... I can add this to the list of things to try however, Thanks

@Gertjan @stephenw10

WTH - (I may have used stronger language here)

but selecting "Everything" and restarting syslogd and unbound seems to have stopped the duplicates.

So now the question is why ? The previously unselected items on the list are not even running.. (their associated log files are still all zero bytes. ). Must be in the syslog handler init (order things start maybe?) or top level when everything is selected vs individual items and you end up with a duplicate handler ?

and since that seemed to work, I've shut the syslog server down yet again to see when it comes back up is the netgate resumes without manual intervention on syslog and unbound.
the answer to that is apparently no - because the syslogd service died

Screenshot 2025-08-08 at 12.31.18 PM.png

required a restart of both the syslogd and unbound services to make things "normal" again

stephenw10

Hmm, WTH indeed!

Good clue though.

Seems like that's probably independent of syslogd dying locally.

jrey

@stephenw10 said in 25.07 unbound - pfblocker - python - syslog:

It still logs locally though? Just not sending to the remote syslog server?

yes - still locally - local logging hasn't changed or stopped

yes not sending to syslog (ie didn't recover after the syslog server came back up)

after switching to "everything". the duplicates have stopped, but syslogd just outright died again with I took the syslog server down

I restarted both syslogd and unbound still no duplicates at this point.

something is still not playing nice together. syslog itself or syslog/unbound

and looking at the live stream of data coming into the syslog server
I suddenly remembered why I have turned off "everything" and selected the individual services I had

I'm now seeing a /usr/sbin/cron message for newsyslog (checking every minute if it need to roll local files over ) and the application nginx is sending it's log file when I navigate the any web page.

So "everything" likely includes some things that are not included/available in individual selection.

changing anything on the selection list and hitting save, requires a manual restart of unbound looking at the live stream on the syslog server other events are still coming through

I temporarily changed the setting from Everything back to my list so I could grab the appropriate pfSense.conf file that is generated for syslog.d
and then changed it back to Everything -

I was looking for a specific reference to either cron and/or nginx logging - leaving the system on the dashboard is currently flooding the syslog stream with the everything being done. But hey no duplicates.

Still looking for clues as to why it might hang/die if the remote server goes off line. And if I could specifically stop the nginx messaging that would be cool,

pondering which is worse actually --- duplicate messages from filterdns/unbound or 100's of nginx messages / minute I will simply never use. sitting on the dashboard = bad, sitting on any static page = no messages
the /usr/sbin/cron (messages) are 1 per minute minumum more if other cron jobs run. /usr/sbin/newsyslog every minute seems a bit aggressive to determine if log files need to roll over.

the hanging/dead syslogd is still going to be a problem. can likely "fix" that temporarily with a monitor on the service -

in hind sight I now say to myself you had to push upgrade didn't you. The system was working perfectly with 255+ days of uptime and zero issues. The other side says where is the fun in that.

jrey

@stephenw10

For what it is worth

After sitting turned off for almost 260 days, I started and upgraded a virtual from 2.7.x install to 2.8

the same "duplicate" syslog problem exists there.
when I had the same individual syslog options checked there as I did on my production box) which is the way the virtual was last turned off.

duplicates from unbound

Screenshot 2025-08-08 at 4.12.06 PM.png

changed setting to "everything".
Duplicates gone

Screenshot 2025-08-08 at 4.13.45 PM.png

and "bonus" cron and nginx messages

postilion

@jrey
Yesterday we upgraded three recently installed Netgate 8300-Max firewalls from 24.11 to 25.07. One of the problems we noticed was that our syslogd would die shortly after starting. Last messages in /var/log/system.log were always "syslogd: sendto: Connection refused"

A fourth firewall, which was upgraded to 25.07 prior to deployment did not exhibit this problem.

After reading your experiences I went to the syslog config page and found that an old Graylog server was still referred to in the three problem installs. I removed those entries, and syslogd has been running just fine ever since.

So I can confirm that an unreachable target seems to be enough to kill the syslogd process. This is a bug.
-nic

stephenw10

Hmm, just to be clear is the remote syslog server here in a subnet local to pfSense?

I'm failing to replicate it so far with a missing server. I just get 'host is down' log spam.