Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Syslog different in 2.2.x vs 2.1.x

    General pfSense Questions
    3
    16
    1455
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lshiry last edited by

      Has anyone noticed how much less detail is in the logging in version 2.2?  In version 2.1 there was a lot more useful information in the syslogs.  For example, the dns queries were logged, so you could see who made what dns query.  This and other information is not logged in version 2.2.  Is there a way to get this functionality back?

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        DNS query logging was never an option unless someone manually enabled it in the advanced options of the DNS Forwarder (dnsmasq) – Unless someone switched to the DNS Resolver (unbound), that would have stayed active.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • L
          lshiry last edited by

          Interesting.  I don't think we have any advanced settings set. The dns query logging stopped after upgrading.  Where would I look for those settings?

          1 Reply Last reply Reply Quote 0
          • jimp
            jimp Rebel Alliance Developer Netgate last edited by

            See https://doc.pfsense.org/index.php/DNS_Forwarder_Troubleshooting for that (it has entries for both the forwarder and resolver)

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • L
              lshiry last edited by

              Ok, I think this is something else.  We do not have this setting enabled, and are not even using the DNS forwarder.  Yet, in the syslogs we can see all the DNS queries as they pass through the firewall on our 2.1.5 pfsense.  On the 2.2 pfsense that does not happen.  What am I missing here?

              1 Reply Last reply Reply Quote 0
              • jimp
                jimp Rebel Alliance Developer Netgate last edited by

                Are the DNS logs sourced from "dnsmasq" in the logs? If so, that option must have been enabled.

                There isn't anything in the base system or packages that would have enabled query logging using the DNS Forwarder or DNS Resolver

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • L
                  lshiry last edited by

                  No, here is an example of what I see in the 2.1.5 syslogs:

                  Mar 23 12:30:03 xxx.xxx.xxx.xxx Mar 23 12:30:03 pf: yyy.yyy.yyy.yyy.51658 > 8.8.4.4.53: 26485+ A? mail.acuity.com. (33)

                  (private addresses replaced)
                  xxx.xxx.xxx.xxx = firewall address (syslog source)
                  yyy.yyy.yyy.yyy = traffic source as seen and logged by the firewall

                  These are just hosts on our network querying dns servers, we are not using DNS forwrder or DNS masq.  This is just being logged as the traffic passes through the firewall.

                  1 Reply Last reply Reply Quote 0
                  • jimp
                    jimp Rebel Alliance Developer Netgate last edited by

                    That was being passed through by accident then, as a part of the pf output. We replaced the old log with a cleaner/more concise and easy-to-parse single-line format.

                    If you want to log DNS queries, then use one of the methods from the link I pasted earlier.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • L
                      lshiry last edited by

                      Oh no, that is too bad.  That was extremely useful info to get in syslog.  So now in order to get that data I need to use either dns forwarder or dnsmasq?  Any chance this can be added back in for those of us that don't want to use either of those?

                      1 Reply Last reply Reply Quote 0
                      • jimp
                        jimp Rebel Alliance Developer Netgate last edited by

                        It was never intended to be there in the first place, and there are no plans to bring back that old log format.

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • L
                          lshiry last edited by

                          Ok, thanks for your help.

                          1 Reply Last reply Reply Quote 0
                          • johnpoz
                            johnpoz LAYER 8 Global Moderator last edited by

                            so you want to log queries your clients do to say googledns?  Your not running any resolver or forwarder on pfsense or anywhere else in your network?  I do believe both dnsmasq and unbound have options to log queries.  I think dnstap was added to unbound in 1.5.0, so since we just moved to 1.5.3 thought that would be an option?

                            Guess you could always run dnstop to view dns queries, etc.  But you want to log specific IP queries, for troubleshooting or always?

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

                            1 Reply Last reply Reply Quote 0
                            • L
                              lshiry last edited by

                              Yes, looking to log all dns queries.  We are not running any dns services on the pfsense.  We are running some bind resolvers, I suppose we could enable query logging on those to get the data.  It was just really nice getting the data in the pfsense logs, and hate that they took it away.  I want to always log dns queries, it is very useful for event correlation and forensics.

                              1 Reply Last reply Reply Quote 0
                              • johnpoz
                                johnpoz LAYER 8 Global Moderator last edited by

                                If your clients are using your bind servers, why would you not log it there and send it to syslog?  Bind has very extensive logging functionality if you want it, etc.

                                As to pfsense fixing how they were sending syslog - its a good thing!!

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

                                1 Reply Last reply Reply Quote 0
                                • L
                                  lshiry last edited by

                                  Yes, that is what we will be doing, using the logging in bind.  I agree that the log format needed to be fixed, but I think they could have done it without removing data.

                                  1 Reply Last reply Reply Quote 0
                                  • jimp
                                    jimp Rebel Alliance Developer Netgate last edited by

                                    The data was never supposed to be there in the first place, it was only there by luck/coincidence the way that pf log output was interpreted by tcpdump. It's data that should never have shown up, but…

                                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                    Need help fast? Netgate Global Support!

                                    Do not Chat/PM for help!

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post