Remote Logging Issues



  • I think I found a bug in the Remote Logging Option.  I have DHCP service events disabled, but I still get thousands per day sent to my syslog server.

    x System events
    x Firewall events
    o DHCP service events
    x Portal Auth events
    x VPN (PPTP, IPsec, OpenVPN) events
    x Gateway Monitor events
    x Server Load Balancer events
    x Wireless events

    Example:

    2014-03-15 12:02:31 23 Informational dhcpd DHCPACK on 192.168.2.41 to e8🆎fa:00:00:00 via re1
    2014-03-15 12:02:31 23 Informational dhcpd DHCPREQUEST for 192.168.2.41 (192.168.2.1) from e8🆎fa:00:00:00 via re1

    Is there a way to suppress all DHCP syslog events?

    Regards,
    Ultrajones



  • Anyone?



  • I'm trying to get the dhcpd logs to stop, as well.

    I've toggled all the config options on/off, removed the syslog server address / added back, etc.

    Currently on 2.1.1-PRE



  • I'm seeing this problem as well on a 2.1 install (about to update to 2.1.2).  Regardless of the setting in Remote Syslog Settings, DHCP logs are sent to the remote syslog server.

    On a different (2.1.2) system,  remote syslog for DHCP is selected but no DHCP logs are sent.  Again, changing the settings has no effect.



  • I updated the 2.1 (i386) machine to 2.1.2 yesterday and still no joy.

    At first I thought the <dhcp>was being left in the <syslog>section of the config when turning of DHCP logging but that turned out not to be the case.  Whether that is present or not, the remote syslog is still filling up with dhcpd entries.  Tried rebooting pfSense after changing the setting, still no change.

    Any ideas on where to start looking for the problem?</syslog></dhcp>



  • I am on 2.2, so the problem might not be there. But look in /var/etc/syslog.conf, with DHCP remote syslog on, this file looks like:

    !radvd,routed,olsrd,zebra,ospfd,bgpd,miniupnpd
    *.*								%/var/log/routing.log
    !ntp,ntpd,ntpdate
    *.*								%/var/log/ntpd.log
    !ppp
    *.*								%/var/log/ppp.log
    !pptps
    *.*								%/var/log/pptps.log
    !poes
    *.*								%/var/log/poes.log
    !l2tps
    *.*								%/var/log/l2tps.log
    !charon
    *.*								%/var/log/ipsec.log
    !openvpn
    *.*								%/var/log/openvpn.log
    !apinger
    *.*								%/var/log/gateways.log
    !dnsmasq,filterdns,unbound
    *.*								%/var/log/resolver.log
    !dhcpd,dhcrelay,dhclient
    *.*								%/var/log/dhcpd.log
    !relayd
    *.* 								%/var/log/relayd.log
    !hostapd
    *.* 								%/var/log/wireless.log
    !-ntp,ntpd,ntpdate,charon,openvpn,pptps,poes,l2tps,relayd,hostapd,dnsmasq,filterdns,unbound,dhcpd,dhcrelay,dhclient,apinger,radvd,routed,olsrd,zebra,ospfd,bgpd,miniupnpd
    local0.*							%/var/log/filter.log
    local3.*							%/var/log/vpn.log
    local4.*							%/var/log/portalauth.log
    local7.*							%/var/log/dhcpd.log
    *.notice;kern.debug;lpr.info;mail.crit;daemon.none;		%/var/log/system.log
    news.err;local0.none;local3.none;local4.none;			%/var/log/system.log
    local7.none							%/var/log/system.log
    security.*							%/var/log/system.log
    auth.info;authpriv.info;daemon.info				%/var/log/system.log
    auth.info;authpriv.info 					|exec /usr/local/sbin/sshlockout_pf 15
    *.emerg								*
    local7.* 							@10.49.208.111
    
    

    The last line disappears when I uncheck "DHCP service events"
    Would be good to know if that is happening on 2.1.2 - that will help decide if there is a conf file processing issue, or something else.



  • Looking at /var/etc/syslog.conf on 2.1.2,  there is no change to the dhcp services section when you toggle it off/on.  The remote syslog server is never removed.

    !dhcpd,dhcrelay,dhclient
    *.*                                                             %/var/log/dhcpd.log
    *.*                                                             @192.168.1.52
    
    

    I have tried editing the file and removing the line with the remote syslog server.  However, it keeps getting added back in when you toggle "Send log messages to remote syslog server" off/on, even with dhcp services  unchecked.

    –-

    EDIT:  Just tried this on 2.2 and the remote syslog server gets added to the dhcp services, even with it being unchecked.

    Bug filed: https://redmine.pfsense.org/issues/3613



  • I just tried on a 2.1.2 system.

    *.*                                                             @192.168.1.52
    

    That type of line only comes when I have "Everything" checked.
    What exact things to you have checked/unchecked to get what you are reporting?
    And what sequence of actions?
    A screenshot would be helpful, so I can try to reproduce what you are seeing.



  • Very straight forward to reproduce.  I did this on a clean 2.2 VM install that never had remote syslog configured.

    Status: System logs: Settings

    • Check "Enable Remote Logging"
    • Add a server IP address to "Remote Syslog Servers"
    • Under "Remote Syslog Contents" just select "System Events", as an example.
    • Save

    Note: At no time did I ever select "Everything"

    When you view  var/etc/syslog.conf  the remote syslog server has been added to the dhcp services.

    !dhcpd,dhcrelay,dhclient
    *.*                                                             %/var/log/dhcpd.log
    *.*                                                             @192.168.1.52
    

    That  @192.168.1.52 entry should not be there unless you have "DHCP service events" ticked.

    I attached a screen shot (from my live 2.1.2 install).  DHCP is not selected, but it is getting configured for remote sysloging.




  • Same thing here.

    On my 2.1.2 system I can't enable DHCP Service Events.  "Everything" is not checked and there is no change to /var/etc/syslog.conf when toggling DHCP Service Events.

    
    !dhcpd,dhcrelay,dhclient
    *.*                                                             %/var/log/dhcpd.log
    
    

    On my friend's 2.1.2 system I can't disable DHCP Service Events.  Again, no change to /var/etc/syslog.conf when toggling and Everything is unchecked.

    
    !dhcpd,dhcrelay,dhclient
    *.*                                                             %/var/log/dhcpd.log
    *.*                                                             @10.0.1.3
    
    


  • It is just an ordinary cut-and-paste bug in the code.
    This fix for 2.1.2: https://github.com/pfsense/pfsense/pull/1119
    And for master branch (to fix it in 2.2 onwards): https://github.com/pfsense/pfsense/pull/1118



  • Thanks, Phil.

    Can that just be edited in a running system or will it get over-written with a reboot?



  • Just having a look at the system.inc on my machine.

    Does the chunk of code immediately above that (DNS?) have the same problem?




  • Since it is a 1-liner, you could just make the edit direct on your system - Diagnostics->Edit, type in the file name, Load, findthe line, change it, press save - but don't stuff up otherwise your system will really be broken, since /etc/inc/system.inc is included by pretty much everything, if you introduce a syntax error then the whole webGUI will be broken, and PHP shutdown/reboot script…!!!

    Otherwise wait until it is committed and use System Patches package to apply it. That way the edit is automated and there is a record on your system of what has been changed.

    Yes, the DNS chunk of code has a similar problem. But there did not seem to actually be an option on the webGUI to turn on/off DNS "resolver" remote syslog. I couldn't work out what string was actually needed there. It might be a completely missing piece of webGUI functionality also. I made a note in the master commit about that so one of the devs can sort it out.



  • I used Filezilla and Notepad++.  Seems to have worked fine.  Now to stop the DHCP entries in friend's syslog.

    Yeah, I noticed there was no GUI check box for that.  If it isn't broken…

    Thanks again.