Firewall logging stopped

sazv

Running v2.2.2. 
Firewall logging (to portal) stops immediately after reboot. 
Portal auth logs are empty, and /var/log/portalauth.log appears to be binary.
Clearing logs does not help. 
Syslog logging at least system, ntp, openvpn, and dhcp events without issue. 
Configured to log all events, locally only.
No packages installed. 
Plenty of space (90% free) on /var.
/var/log/filter.log in plaintext showing actively logged entries. (should this be a binary file?)

Any ideas where to start?

Gertjan

@sazv:

Any ideas where to start?

They are binary. There is a reason for that ;) [[url=https://doc.pfsense.org/index.php/Adjusting_the_Size_of_Log_Files]Yep, its in the manual, look here]
You can read them easily, as pfSense reads them:

clog /var/log/system.log

Your file system is writable ?

The syslogd is running ?

ps ax | grep 'syslogd'

sazv

File system is writable, and  other (non-firewall) logs are working as expected.

All the other log files are binary, except filter.log, which is not binary.  I can read it happily with tail.

Gertjan

@sazv:

All the other log files are binary, except filter.log, which is not binary.  I can read it happily with tail.

:o
When  I tailed mine, the last lines of my file were talking about:

Apr  4 18:13:32 pfsense filterlog: 61,16777216,,1000001583,pppoe0,match,block,in,4,0x0,,54,0,0,DF,6,tcp,40,172.26.221.210,90.45.10.215,993,10363,0,R,3662797629,,0,,
Apr  4 18:13:37 pfsense filterlog: 61,16777216,,1000001583,pppoe0,match,block,in,4,0x0,,54,0,0,DF,6,tcp,40,172.26.221.210,90.45.10.215,993,10363,0,R,3662797629,,0,,
Apr  4 18:13:41 pfsense filterlog: 61,16777216,,1000001583,pppoe0,match,block,in,4,0x0,,53,0,0,DF,6,tcp,40,172.26.133.113,90.45.10.215,993,64858,0,R,2148090241,,0,,
Apr  4 18:13:45 pfsense filterlog: 61,16777216,,1000001583,pppoe0,match,block,in,4,0x0,,54,0,0,DF,6,tcp,40,172.26.221.210,90.45.10.215,993,10363,0,R,3662797629,,0,,

… so I entered the WTF mode.

But, guess what ? A closer look - when opening this file in a text editor, showed me that even this file is circular.
The most recent lines were somewhere in the middle of the file:

Apr 30 01:24:09 pfsense filterlog: 62,16777216,,1000001581,pppoe0,match,block,in,4,0x0,,115,29967,0,none,6,tcp,40,10.8.202.143,90.11.62.177,9953,46464,0,R,1129428493,,0,,
Apr 30 02:24:09 pfsense filterlog: 62,16777216,,1000001581,pppoe0,match,block,in,4,0x0,,115,20970,0,none,6,tcp,40,10.8.202.168,90.11.62.177,9953,46114,0,R,1889642985,,0,,
Apr 30 03:24:08 pfsense filterlog: 62,16777216,,1000001581,pppoe0,match,block,in,4,0x0,,115,3167,0,none,6,tcp,40,10.8.202.165,90.11.62.177,9953,32501,0,R,2892616259,,0,,

So, WTF mode Off  ;)

sazv

Don't turn off wtf mode just yet.  I got one, one log entry showing up in the firewall log in the portal.  filter.log is full of entries, but only one ipv4 entry, the one that showed up in the portal, the rest is all ipv6 (none of which show up elsewhere).

sazv

I turned off ipv6 (deselect allow ipv6), and now firewall logging is working fine.  ???