Kea DHCP Logging Issue: Dual Output (File + Syslog) Conflict

MoonLight 0

Hello everyone,

I am experiencing a specific integration issue with the Kea DHCP4 service running on pfSense, and I would appreciate your insights.

My objective is to ensure Dual Logging for Kea DHCPv4 logs:

1. To the pfSense GUI (via Syslog): For quick viewing in Status > System Logs > DHCP.
2. To a Dedicated Log File (/var/log/kea-dhcp4.log): This is critical because I use an agent to send this clean, specific log file to CloudWatch Logs (AWS).

I modified the Kea PHP source file (/etc/inc/services.inc) to configure the kea-dhcp4 logger with dual output, which is supposed to be fully supported by Kea.

Here is the configuration I tested (including placing syslog in the first position to test initialization priority):

'loggers' => [[
    'name' => 'kea-dhcp4',
    'severity' => config_get_path('kea/loglevel', 'INFO'),
    'output_options' => [
        [
            'output' => 'syslog' 
        ],
        [
            'output' => '/var/log/kea-dhcp4.log',
            'maxsize' => 512000,
            'maxver' => 7
        ]
    ]
]],

I have confirmed that the generated JSON configuration file (/usr/local/etc/kea/kea-dhcp4.conf) is correct and contains both output blocks. I restarted the Kea DHCP4 service after every change.

Despite the correct configuration, the results are inconsistent:

File Output Works: New logs are correctly written to /var/log/kea-dhcp4.log. My CloudWatch stream is functional when this configuration is active.

Syslog Output Fails: No Kea logs whatsoever appear in the pfSense GUI (neither under the DHCP filter nor in the General system log).

Diagnosis: Kea is sending the dual logging command, but the pfSense syslogd process (FreeBSD) appears to ignore or reject Kea messages when the dual output is configured. When I remove the file output, syslog works.

Is this a known bug or limitation in the Kea and pfSense syslogd integration when using dual output?

Is there an alternative Syslog method (like specifying a facility, e.g., syslog:local7, plus a required pfSense configuration change) that would allow Kea to log to both a file AND appear in the GUI without conflict? (I must keep the dedicated file for CloudWatch).

Thank you in advance for your help and insights!

Gertjan

@MoonLight-0 said in Kea DHCP Logging Issue: Dual Output (File + Syslog) Conflict:

Thank you in advance for your help and insights!

Where did you get this from :

'loggers' => [[
    'name' => 'kea-dhcp4',
    'severity' => config_get_path('kea/loglevel', 'INFO'),
    'output_options' => [
        [
            'output' => 'syslog' 
        ],
        [
            'output' => '/var/log/kea-dhcp4.log',
            'maxsize' => 512000,
            'maxver' => 7
        ]
    ]
]],

?
Suggestion : here and I know it works, as I'm using it right now.

The syslog issue : test if the syslog process is still running.
Don't use this one :

fact-check it :

ps aux | grep 'syslogd'

[25.07.1-RELEASE][root@pfSense.bhf.tld]/root: ps aux | grep 'syslogd'
root    11947   0.0  0.1  14308   3448  -  SCs  29Oct25      0:12.94 /usr/sbin/syslogd -O rfc5424 -s -c -c -l /va
.....

and restart it - GUI method is ok - if needed.

Btw : there is a syslog issue if you send the logs to a remote syslog server. I can fail if the syslog server becomes unreachable. There are some forum threads about that issue - and redmine has mentioned a temp. fix.

MoonLight 0

Hi @Gertjan, thank you for your reply!

Where did you get this from

The default configuration in /etc/inc/services.inc being:

'loggers' => [[
                       'name' => 'kea-dhcp4',
                       'output_options' => [[
                               'output' => 'syslog'
                       ]],
                       'severity' => config_get_path('kea/loglevel', 'INFO')
               ]],

After reading various conversations on the internet, including the one you linked to me, I thought I could add an 'output' entry so that the dhcp logs are also sent to /var/log/kea-dhcp4.log.

The syslog issue : test if the syslog process is still running.

Yes, the syslog process is currently running. I restarted it, but I still don't have any log on the GUI.

To be honest, after rereading the conversion you sent me, I think I'm a little bit lost.
I don't need to add a 'output' => 'syslog' entry so that the logs are displayed on the GUI?
How can I get the logs in /var/log/kea-dhcp4.log and on the GUI exactly?
Sorry if this seems obvious to you.

Thank you!

MoonLight 0

Hi again, @Gertjan

Quick update, looks like the following config will do what I want:

            'loggers' => [
                [
                    'name' => 'kea-dhcp4',
                    'output_options' => [[
                    'output' => 'syslog'
                    ]],
                    'severity' => config_get_path('kea/loglevel', 'INFO')
                ],
                [
                    'name' => 'kea-dhcp4.leases',
                    'output_options' => [[
                    'output' => '/var/log/kea-dhcp4.log',
                    'maxsize' => 512000,
                    'maxver' => 7
                    ]],
                    'severity' => config_get_path('kea/loglevel', 'INFO')
                ]
            ],

Thanks again for your help! :)