Remote Logging -> Everything not working properly

cmcdonald · Jul 21, 2013, 2:55 AM

Just today I setup a VPS that will be acting as a receiver for my syslog events. I am logging all of my PASS traffic through my guest interface so it should be spitting out hundreds of "pf" events per second. When I manually tick, "Firewall Events" and any other events that I wish, my remote server picks them up just fine. However, when I choose "Everything", I am not receiving anything from "pf" in my remote syslogs.

jimp · Jul 21, 2013, 3:28 AM

Check /var/etc/syslog.conf with the various options selected.

Post what it looks like in each state.

cmcdonald · Jul 22, 2013, 9:50 PM

@jimp:

Check /var/etc/syslog.conf with the various options selected.

Post what it looks like in each state.

The following conf is with these options checked: System, Firewall, DHCP, Portal, VPN, & Gateway

!radvd,routed,olsrd,zebra,ospfd,bgpd,miniupnpd
!ntp,ntpd,ntpdate
!ppp
!pptps
!poes
!l2tps
!racoon
*.* 								@199.15.x.x
!openvpn
*.* 								@199.15.x.x
!apinger
*.* 								@199.15.x.x
!dnsmasq,filterdns,unbound
*.* 								@199.15.x.x
!dhcpd,dhcrelay,dhclient
*.* 								@199.15.x.x
!relayd
!hostapd
!-ntp,ntpd,ntpdate,racoon,openvpn,pptps,poes,l2tps,relayd,hostapd,dnsmasq,filterdns,unbound,dhcpd,dhcrelay,dhclient,apinger,radvd,routed,olsrd,zebra,ospfd,bgpd,miniupnpd
local0.* 							@199.15.x.x
local3.* 							@199.15.x.x
local4.* 							@199.15.x.x
local7.* 							@199.15.x.x
*.notice;kern.debug;lpr.info;mail.crit; 			@199.15.x.x
news.err;local0.none;local3.none;local7.none 			@199.15.x.x
security.* 							@199.15.x.x
auth.info;authpriv.info;daemon.info 				@199.15.x.x
*.emerg 							@199.15.x.x

The following conf is with everything:


!radvd,routed,olsrd,zebra,ospfd,bgpd,miniupnpd
!ntp,ntpd,ntpdate
!ppp
!pptps
!poes
!l2tps
!racoon
!openvpn
!apinger
!dnsmasq,filterdns,unbound
!dhcpd,dhcrelay,dhclient
!relayd
!hostapd
!-ntp,ntpd,ntpdate,racoon,openvpn,pptps,poes,l2tps,relayd,hostapd,dnsmasq,filterdns,unbound,dhcpd,dhcrelay,dhclient,apinger,radvd,routed,olsrd,zebra,ospfd,bgpd,miniupnpd
!*
*.* 								@199.15.x.x

Finally, this is with all of the items selected manually:


!radvd,routed,olsrd,zebra,ospfd,bgpd,miniupnpd
!ntp,ntpd,ntpdate
!ppp
!pptps
!poes
!l2tps
!racoon
*.* 								@199.15.x.x
!openvpn
*.* 								@199.15.x.x
!apinger
*.* 								@199.15.x.x
!dnsmasq,filterdns,unbound
*.* 								@199.15.x.x
!dhcpd,dhcrelay,dhclient
*.* 								@199.15.x.x
!relayd
*.* 								@199.15.x.x
!hostapd
*.* 								@199.15.x.x
!-ntp,ntpd,ntpdate,racoon,openvpn,pptps,poes,l2tps,relayd,hostapd,dnsmasq,filterdns,unbound,dhcpd,dhcrelay,dhclient,apinger,radvd,routed,olsrd,zebra,ospfd,bgpd,miniupnpd
local0.* 							@199.15.x.x
local3.* 							@199.15.x.x
local4.* 							@199.15.x.x
local7.* 							@199.15.x.x
*.notice;kern.debug;lpr.info;mail.crit; 			@199.15.x.x
news.err;local0.none;local3.none;local7.none 			@199.15.x.x
security.* 							@199.15.249.61
auth.info;authpriv.info;daemon.info 				@199.15.x.x
*.emerg 							@199.15.x.x

cmcdonald · Jul 25, 2013, 8:16 PM

Any ideas? I'm still under the impression that this is a bug.

jimp · Jul 25, 2013, 8:18 PM

Do you have local logging disabled?

cmcdonald · Jul 25, 2013, 11:12 PM

@jimp:

Do you have local logging disabled?

Yes. Writing log files to the disk is disabled.

jimp · Jul 26, 2013, 12:08 AM

Does it give the correct remote behavior if you enable local logging?

cmcdonald · Jul 26, 2013, 12:22 AM

@jimp:

Does it give the correct remote behavior if you enable local logging?

Nope, when I enable local logging while keeping "System Events, Firewall Events, DHCP service events, etc. selected", the remote logging effectively stops. DHCPD events still get pushed through as well as some other services, but according to my firewall rules, PF should be pumping out messages like crazy. Something just isn't right here…

jimp · Jul 26, 2013, 8:02 PM

I was finally able to reproduce this, but it's odder than even you describe.

I can set it up and make no changes, and it works every other time I press Save.

Press Save, they work. Press Save, they stop. Press save, they work again. Press Save, they stop again. [Repeat]

And the same behavior happens whether I have "everything" checked or just the firewall events.

cmcdonald · Jul 26, 2013, 10:22 PM

@jimp:

I was finally able to reproduce this, but it's odder than even you describe.

I can set it up and make no changes, and it works every other time I press Save.

Press Save, they work. Press Save, they stop. Press save, they work again. Press Save, they stop again. [Repeat]

And the same behavior happens whether I have "everything" checked or just the firewall events.

Ah, yep you are correct! I probably didn't notice this because I was other time for me I was also switching between "Everything" and selecting individual settings… I'm glad that you are able to reproduce this issue! Hopefully we can get a fix soon :)

jimp · Jul 30, 2013, 6:10 PM

Tracked down the fix for this.

The tcpdump process that was logging from pf was being killed but not restarted as expected.

It'll be fixed in snapshots that pick up this commit (late today, tomorrow, etc): https://github.com/pfsense/pfsense/commit/32fb33927d51dd73ba9d0ef5b483efe66328c92c