Filter Logs not showing in WebGui- Pfsense 2.2

pfsenseack

Hi All,

Q:1

I have pfsense 2.2 installed and working fine. Until few weeks ago filter logs were being displayed properly in the web gui, but since the last few days it won't show any thing.

if i access the command line and use option - 10, it displays firewall / filter log but not in the web gui.

Q2:

Squid Package : 2.7.9 pkg v.4.3.6
LightSquid Package 1.8.2 pkg v.2.35

Light Squid : I also have squid proxy running with logging enabled, however, whenever i try to generate a report with light squid it gives a 404.

will be grateful for your suggestions / assistance in getting this resolved.

kind regards
Ack

phil.davis

Q1: give us some sample output from the console menu and:

clog /var/log/filter.log

And then a screenshot of the webGUI firewall log display.

One possibility is the IGMP logging issue: https://github.com/pfsense/pfsense/commit/091195f09e627f575bb195006d255ad4e85dfef7

In 2.2 (and earlier) the webGUI Firewall Log display does not display IGMP lines from filter.log
There is another underlying issue, that sometimes many IGMP packets are seen and logged to filter.log even though the rules they match do not have logging on. That can put a lot of unwanted stuff in filter.log. And then because tyhe webGUI Firewall Log does not display those entries, it looks empty or shorter than requested.

In 2.2.1 the webGUI Firewall Log display should match what is in filter.log - but there is still the issue of unwanted IGMP packets "clog"ging up filter.log (pardon the pun).

pfsenseack

Thank you phil.davis for your response.

attached are the images / output you requested.

even though I have rules enabled with logging nothing is being displayed in the webgui when i select "Status > System Logs > Firewall (Normal, Summary, Dynamic View) all empty.

I browsed to the igmp issue at github but not sure how would i apply that?

also can i install nano on pfsense via pkg manager ?

Many thanks for your prompt response -

doktornotor

@phil.davis:

https://github.com/pfsense/pfsense/commit/091195f09e627f575bb195006d255ad4e85dfef7
In 2.2.1 the webGUI Firewall Log display should match what is in filter.log - but there is still the issue of unwanted IGMP packets "clog"ging up filter.log (pardon the pun).

Thank you very much. I have unfixed your fix via System Patches on all affected boxes – because it made my firewall log literally useless.

phil.davis

You have the "feature" where unwanted IGMP packets are being logged in filter.log
The webGUI display is finding the last 100 records in filter.log - but the display has the bug that it will not display any IGMP entries from the log. That is why it says "Last 0 firewall log entries. Max (100)".
If you apply the patch then the webGUI firewall log table will display the entries from filter.log
You should be able to do that with System Patches package and add an entry referring to the URL above. Or upgrade to 2.2.1.

It won't get rid of the underlying problem - filter.log can still get filled with loads of IGMP messages.

phil.davis

@doktornotor:

@phil.davis:

https://github.com/pfsense/pfsense/commit/091195f09e627f575bb195006d255ad4e85dfef7
In 2.2.1 the webGUI Firewall Log display should match what is in filter.log - but there is still the issue of unwanted IGMP packets "clog"ging up filter.log (pardon the pun).

Thank you very much. I have unfixed your fix via System Patches on all affected boxes – because it made my firewall log literally useless.

Always happy to help ;)
Whichever way you go with this, if you are getting the underlying problem of filter.log being flooded with IGMP packet messages then it is a pain. It would be good if the underlying issue can also be solved!

doktornotor

@phil.davis:

if you are getting the underlying problem of filter.log being flooded with IGMP packet messages then it is a pain.

On one network, we have a couple of "smart" LG TVs, each of those is producing tens of these items logged per minute.  >:(

@phil.davis:

It would be good if the underlying issue can also be solved!

Yeah, indeed, ASAP.

pfsenseack

@phil.davis:

You have the "feature" where unwanted IGMP packets are being logged in filter.log
The webGUI display is finding the last 100 records in filter.log - but the display has the bug that it will not display any IGMP entries from the log. That is why it says "Last 0 firewall log entries. Max (100)".
If you apply the patch then the webGUI firewall log table will display the entries from filter.log
You should be able to do that with System Patches package and add an entry referring to the URL above. Or upgrade to 2.2.1.

It won't get rid of the underlying problem - filter.log can still get filled with loads of IGMP messages.

Thank you for your guidance - filter logs are now being displayed, but with IGMP only. I do have rules with logging enabled but it isn't showing that.

I will upgrade this box to pfsense 2.2.1 tonight and report back.

Also, Lightsquid report is giving a 404 not found - any suggestions for that will be helpful? - Thanks

Many thanks for your assistance

doktornotor

@pfsenseack:

Thank you for your guidance - filter logs are now being displayed, but with IGMP only.

You need to upgrade and revert the patch if you are getting so many IGMP log entries.

@pfsenseack:

Also, Lightsquid report is giving a 404 not found - any suggestions for that will be helpful? - Thanks

New thread in the proper forum section, please.

jimp

Part of the issues likely stems from IGMP packets having ip options set. So if you pass traffic, but the IGMP packets have ip options set, it will still block/log those. So try adding a rule to pass or block igmp without logging but make sure the rule has "allows packets with IP options to pass" checked in advanced features/advanced options.

doktornotor

@jimp:

Part of the issues likely stems from IGMP packets having ip options set. So if you pass traffic, but the IGMP packets have ip options set, it will still block/log those.

I do not see them blocked. I see them passed. And every passed packet creates a log entry. This thing is extremely annoying to put it mildly. No amount of manual messing with rules (floating or not, pass or block, allow-opts or not) did not manage to get rid of this log spam. The best I can do I to hide it from the GUI by reverting the patch mentioned above.

BBcan177

@jimp:

Part of the issues likely stems from IGMP packets having ip options set. So if you pass traffic, but the IGMP packets have ip options set, it will still block/log those. So try adding a rule to pass or block igmp without logging but make sure the rule has "allows packets with IP options to pass" checked in advanced features/advanced options.

Thanks jimp,

In v.2.2.1, I was getting IGMP Spam on the LAN interface, so I "Checked" the

"This allows packets with IP options to pass." in the Default Lan Allow Rule in the Adv. Options.

The IGMP Spamming stopped for me…