block rules not logging
-
@SteveITS yes, it's happening on multiple routers, but I decided to try to work on this one since it appears to be a shared issue and this one is my home device, so I can mess with it and not cause problems for my clients.
I deleted the filter.log file and reloaded filter, and the file hasn't been re-created.
-
@beatvjiking Try the red "Reset Log Files" button at
Status / System Logs / Settings.Failing that, post a screencap of your "Log Rotation Options". Maybe that whole settings page actually.
-
@tinfoilmatt Resetting the logs re-created the file. Interestingly the permissions are different from what they were before - :
old: -rw------- 1 root wheel 0B Dec 12 20:13 filter.log new: -rw-r--r-- 1 root wheel 0B Dec 24 10:54 filter.logIt's still not populating with any logs.
Screenshot (again, logging default deny is just for testing here):
-
@beatvjiking Check the "
Default firewall "pass" rules" checkbox just to see if you can get anything to log.You're squarely in sketchy territory.
-
@tinfoilmatt box checked, nothing whatsoever after pushing traffic through. File size still 0.
I also tried removing the state limiter from the default allow (in case that had something to do with it) and still nothing.
-
@beatvjiking There were only a couple Logging items included with the
25.07release notes, and I don't see either of them having anything to do with anything.You said you're experiencing this on multiple 4200's you manage? SSD upgrade on those too?
What do you mean by you tried "removing the state limiter"? I don't follow that.
-
@tinfoilmatt the other machines are running pfSense+ 25.11 but running on a variety of hardware. There are some roll-your-own machines, some 8200s, 7100s, 1537s, etc. The other Netgate hardware isn't altered from factory.
By "removing the state limiter" I meant removing the advanced rule option to limit states per device on the default allow. I normally add it to prevent resource exhaustion at the firewall, but wondered if adding it interfered with logging, so I removed it. It didn't change anything.
-
@beatvjiking I'm perplexed—further confounded only by you seeing this on multiple systems.
No
syslog-nginstall or otherwsie any log shipping or anything?Big system disk. No exotic partitioning? Exotic ZFS config?
You already confirmed no RAM disk.
Ruleset looks fine (if not exceedingly straightfoward).
Are you doing anything particular with NAT?
-
it’s extreme but maybe set one to defaults temporarily and check. If it works compare config files. If not then it seems something on the router(s)…reinstall?
-
@tinfoilmatt no syslog-ng, no sending logs anywhere else. No exotic partitioning, just the default installer ZFS setup. Nothing weird with NAT. Some of the other affected machines are in failover pairs and NAT through their virtual CARP-managed IP, but there's nothing of that sort going on here.
-
@beatvjiking Does
Status / Servicesshowsyslogdrunning? Output ofps -A | grep syslogd? -
@tinfoilmatt Services shows syslogd running - it's generating logs for itself and other services on the machine. If I had to guess I'd say there has to be something going on with the interaction between filterlog and syslogd, but that's a part of the OS I don't have a lot of familiarity with in FreeBSD. I also don't know how any configuration options in pfSense would mess with that.
ps -A | grep syslogd:
69461 - SCs 0:00.90 /usr/sbin/syslogd -O rfc3164 -s -c -c -l /var/dhcpd/var/run/log -P /var/run/syslog.pid -f /etc/syslog.conf 72847 - I 0:00.01 syslogd: syslogd.casper (syslogd) 73151 - Is 0:00.00 syslogd: system.net (syslogd) 68064 1 S+ 0:00.00 grep syslogd -
@beatvjiking Try flipping on raw logs. Reset log files again after doing so (i.e., two separate saves).
/var/etc/syslog.d/pfSense.conflooks intact? -
@tinfoilmatt Switched to syslog (the RFC5424 option, I assume), saved, reset the logs, saved, and unfortunately no go.
/var/etc/syslog.d/pfSense.conf contents - it looks like it probably should from what I can tell:
# Automatically generated, do not edit! !* auth.*;authpriv.* /var/log/auth.log !radvd *.err /var/log/routing.log !routed,zebra,ospfd,ospf6d,bgpd,watchfrr,miniupnpd,igmpproxy *.* /var/log/routing.log !ntp,ntpd,ntpdate *.* /var/log/ntpd.log !ppp *.* /var/log/ppp.log !poes *.* /var/log/poes.log !l2tps *.* /var/log/l2tps.log !charon,ipsec_starter *.* /var/log/ipsec.log !openvpn *.* /var/log/openvpn.log !dpinger *.* /var/log/gateways.log !dnsmasq,named,filterdns,unbound *.* /var/log/resolver.log !dhcpd,dhcrelay,dhclient,dhcp6c,dhcpleases,dhcpleases6,kea2fib6,kea2unbound,kea-dhcp4,kea-dhcp6 *.* /var/log/dhcpd.log !hostapd *.* /var/log/wireless.log !filterlog *.* /var/log/filter.log !logportalauth *.* /var/log/portalauth.log !watchdogd *.* /var/log/watchdogd.log !-bgpd,charon,dhclient,dhcp6c,dhcpd,dhcrelay,dnsmasq,dpinger,filterdns,filterlog,hostapd,igmpproxy,ipsec_starter,kea-dhcp4,kea-dhcp6,unbound,kea2fib6,kea2unbound,l2tps,miniupnpd,named,ntp,ntpd,ntpdate,openvpn,ospf6d,ospfd,poes,radvd,routed,watchfrr,zebra local3.* /var/log/vpn.log local5.* /var/log/nginx.log *.notice;kern.debug;lpr.info;mail.crit;daemon.none;news.err;local0.none;local3.none;local4.none;local7.none;security.*;auth.info;authpriv.info;daemon.info /var/log/system.log *.emerg * !* :msg, startswith, "if_pppoe: " *.* /var/log/ppp.log :* -
@beatvjiking There's a checkbox, "
Show raw filter logs", on the logs settings page. I was suggesting you try that, and only because you got me thinking about the relationship between system logging andsyslogd(something I hadn't previously considered).We're both learning here! lol
-
Not sure what that first line is on your grep output, I do not show that
[25.11-RELEASE][admin@sg4860.home.arpa]/: ps -A | grep syslogd: 95527 - I 0:00.00 syslogd: syslogd.casper (syslogd) 96345 - Is 0:00.00 syslogd: system.net (syslogd) 57157 0 S+ 0:00.00 grep syslogd: [25.11-RELEASE][admin@sg4860.home.arpa]/:An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 25.11.1 | Lab VMs 2.8.1, 25.11.1 -
@johnpoz Weird because mine matches (in addition to an HAproxy logging hook). I assumed that was the operative
syslogdprocess. But maybe not.Obligatory mention that I'm on CE
2.8.1-RELEASEover here.ps -A | grep syslogd 89854 - SCs 0:02.20 /usr/sbin/syslogd -O rfc5424 -s -c -c -l /var/dhcpd/var/run/log -l /tmp/haproxy_chroot/var/run/log -P /var/run/syslog.pid -f /etc/syslog.conf 91058 - I 0:00.00 syslogd: syslogd.casper (syslogd) 91991 - Is 0:00.00 syslogd: system.net (syslogd) 56861 1 S+ 0:00.00 grep syslogd -
@johnpoz Oh. It's because you included a colon in your
grepstring. -
@tinfoilmatt I had seen that box so many times over the last 24 hours it stopped mentally registering, lol. I checked it, saved, reset the log files. Still nothing, but I am indeed learning!
-
@beatvjiking I might suggest 'raw logging' plus a reboot for good measure. But I'm running out of weak suggestions.
