Duplicate logs in remote syslog



  • I have pfSense configured for remote syslogging to a Linux box where I use logwatch to parse the logs.

    I recently upgraded from 1.2.3 to 2.0 and noticed that the format of some firewall (pf) logs had changed.

    While trying to update my logwatch scripts to accommodate this, I noticed that a lot of entries in the syslog
    are duplicated. I originally thought it was a pf-only problem and so created this post: http://forum.pfsense.org/index.php/topic,43222.0.html

    But, upon closer examination, I find that almost every log entry is duplicated (present in the log twice in succession). Since it's not all of them (e.g., logs from /usr/sbin/cron are not duplicated), I suspect this is due to some issue on the pfSense box rather than on the Linux box.

    Any suggestions what to look for/where to look?
    MV



  • OK, figured out my own problem…

    In Status: System logs: Settings, I had selected all the individual categories of events as well as the category "Everything", which I had misinterpreted as meaning "everything else".

    This resulted in a syslog.conf file that forwarded some types of logs twice.

    Unselected all but "Everything" and all is well now.
    MV


  • Rebel Alliance Developer Netgate

    In 2.0.1 and 2.1 I made it so that when you select "everything" it deselects (and greys out) the other checkboxes.



  • Is it possible that there is a similar hidden setting for the pfSense web GUI?

    I am seeing a lot of log entries being duplicated, but not all.

    Nov 12 04:45:27 	php: : Gateways status could not be determined, considering all as up/active.
    Nov 12 04:45:27 	php: : Gateways status could not be determined, considering all as up/active.
    Nov 12 04:45:27 	php: : Could not find IPv6 gateway for interface(opt2).
    Nov 12 04:45:27 	php: : Could not find IPv6 gateway for interface(opt2).
    Nov 12 04:45:27 	php: : Could not find IPv6 gateway for interface(opt2).
    Nov 12 04:45:27 	php: : Could not find IPv6 gateway for interface(opt2).
    Nov 12 07:54:30 	miniupnpd[25738]: upnp_event_recv: recv(): Connection reset by peer
    Nov 12 07:54:30 	miniupnpd[25738]: upnp_event_recv: recv(): Connection reset by peer
    Nov 12 13:07:20 	php: /index.php: Successful login for user 'admin' from: 192.168.x.y
    Nov 12 13:07:20 	php: /index.php: Successful login for user 'admin' from: 192.168.x.y
    

  • Rebel Alliance Developer Netgate

    No, that would be a separate issue and doesn't belong in this thread.


Log in to reply