System Logs - VPN not logging

josey

version

2.0-BETA4  (i386)
built on Sun Oct 3 23:44:55 EDT 2010
FreeBSD 8.1-RELEASE-p1

it does not log PPTP VPN connections under system logs.

can it be fixed?
do you need any additional data?

thanks

jimp

I thought PPTP logs were under the PPP tab, you just need to press the PPTP button there. I may be wrong though, there's an open ticket for the logging.

http://redmine.pfsense.org/issues/912

josey

yes, that is open ticket.
And yes, i know it is under VPN tab, PPTP. But it does not log.

Thanks

josey

hm, i found new issue related to sysetm logs
firewall logs, is clean up daily.
for example
I had 20 records in firewall log yesterday, and this morning only one, from today (in 05:xx in morning), no records from yesterday.
Im up to this issue for couple of days, and every morning same thing.

can you check this too please?

thanks

jimp

The only way that would happen is if the filter log was filling up with data that could not be parsed, or was discarded by the parser.

Go to Diagnostics > Command and type "clog /var/log/filter.log" and post some of what shows up there.

josey

thnks jimp

here is part of log file (full file was to big)

i have only 2 firewall rules turned on for logging on wan interface, and rule for default rules logging is disabled.

[filter 1.txt](/public/imported_attachments/1/filter 1.txt)

jimp

Looks like it's almost all IGMP messages logged there. There's probably something about those entries that is making them be discarded by the parser.

Were you intending to log those IGMP packets?

josey

im logging only 2 tcp ports…

jimp

And yet the IGMP traffic is filling up the logs, so something must be causing that to get logged somewhere. It might help to see the contents of /tmp/rules.debug

josey

ok, thanks
here is file

rules.txt

jimp

Looking at the logs, you are getting the blocked igmp traffic in on re2 and re3. re2 is VANI and re3 is TELEFONIJA. Something about the traffic is causing it to be blocked but I don't see anything in rules.debug that is making that obvious to see.

So if you could please get another chunk of the filter.log, and also the output of "pfctl -vvsr" then it should be a bit clearer what rule is causing the logging.

josey

ok, i have rule that blocks some subnets from re3 to re1, but rule is to block any from xy network/24 source to re1 network/24 dest.

But i dont see why is that logging because i have turn off default logging, im logging only two rules on wan.
So you doubt that there is something causing problem with logging on pptp and deleting logs from firewall rules?

here are files, pfctl, and filter logs in 3 parts … this time i didnt want to cut anything from log to make it smaller.

pfctl.txt
[filter log part1.txt](/public/imported_attachments/1/filter log part1.txt)

josey

part 2 and 3

thank you

[filter log part2.txt](/public/imported_attachments/1/filter log part2.txt)
[filter log part3.txt](/public/imported_attachments/1/filter log part3.txt)

jimp

Well in the log it's showing that the logged IGMP traffic is passed, and it's being logged as a pass. The odd part is that it shows that rules 72 and 77 are causing the log entry, but they are:

@72 pass in quick on re3 all flags S/SA keep state label "USER_RULE"
@77 pass in quick on re2 all flags S/SA keep state label "USER_RULE"

As you can see, no logging on the rules.

Do you have UPnP enabled? If so, does anything show up under Status > UPnP as having anything open to do with IGMP?

It's always the same two devices sending the traffic, too, 192.168.1.254 on re3 and 192.168.254.3 on re2.

josey

Thanks Jimp,
i think im following you, but still i dont undestand how is this related to not logging PPTP VPN traffic? (its logging, but there are no rules to log  ???)
under
STATUS->SYSTEM LOGS->VPN (tab) -> (click) PPTP, there is nothing…
and on two rules on wan interface that i enable log, it deletes log every day.

also
UPNP is not enabled
192.168.254.3 is one of my hp procurve switches... but i have 7 of them.... and what does it mean, this one is broken?
it is just ip addres of device, switch is in stupid mode it just passes all traffic.
192.168.1.254, i dont know what is it i cant find it :( will take a look.

but again i can get this logging thing with this switch thing? it worked on pfs 1.2.3.

thanks

jimp

The problem is that the log is full of IGMP messages that are being discarded by the parser, so the log messages you want to see are being crowded out by the other log entries.

Say you have your GUI log limit set for 50 lines. The system will usually fetch somewhere around 100 lines in case some are skipped or could not be parsed. If 98 out of 100 of those lines are skipped, you will only see two log entries on the page.

josey

Is it same thing happening with firewall log and pptp vpn? i mean, is it happening for same reason? (logging igmp traffic)

Is there way to prevent loging so much igmp traffic? can i filter it on pfs machine?

Also, i set number of log entries to show to 100, and i set to show enties in reverse order.
But, logs for pptp vpn are not logging at all… i connect from outside with vpn and im at same time logged on gui of pfs, and nothing, nothing is listed (showed) under pptp vpn logs, and it should list my user name with time when i connect, same thing when i disconnect.

So it is not problem that something is logged, and tomorrow morning is deleted, the problem is that nothing is logged (regardes to pptp vpn).
If this means anything to you, user authentication is done via an external RADIUS server. But same thing when local database is used for auth.

Second problem is with firewall, it is logging, it lists entries, but every morning deletes entries from filter log, but at same time?

At least the first problem seems like bug, dont you think?

thanks jimp for help and your time

josey

to be honest, i didnt touch any of my configuration and i noticed that logs now stays in log for more than one day.
i dont like things to be fixed this way, but, ok it works now.

But back to the main problem, and reason i open this thread,
PPTP logs, is someone up on this problem?
I didnt try to update to newer version, since everything else works perfect.
Is it fixed in newer version, should i give a try?

thanks

jimp

I completely rewrote the PPTP/L2TP/PPPoE Server logs. They work fine now.

josey

@jimp:

I completely rewrote the PPTP/L2TP/PPPoE Server logs. They work fine now.

just to leave feedback, and to thank you for great job!

everything works perfect, thank you one more time
regards