How to suppress certain syslog messages

[LaUs3r]

Hi,
I am using FreeBSD 15.0 (pfSense 14.11) and I want to suppress/exclude certain syslog messages.

Specifically I do not want to log SSH-logins from a dedicated host as this is my Check_MK server and the SSH-login is a standard check of the Check_MK system.
The log message is: "Connection closed by xxx.xxx.xxx.xxx port xxxxxx [preauth]"

I create a file a.conf in /var/etc/syslog.d/ with the following content:

!sshd
:msg, !contains, "Connection closed by xxx.xxx.xxx.xxx"

I played around with the content of the file, i.e. using ".*" asterisks, removing the "!" at contains, etc.

pfSense automatically generates the syslog-config based on the GUI. The corresponding file in /var/etc/syslog.d/ is pfSense.conf. By default, pfSense logs all auth.*;authpriv.*-events to /var/log/auth.log.

I stopped the syslog daemon, deleted the pfSense.conf file and restarted the service. By this, I hoped that the a.conf is used first and the sshd-message is suppressed in /var/log/auth.log

# Automatically generated, do not edit!
!*
auth.*;authpriv.*                                       /var/log/auth.log
!radvd
*.err                                                           /var/log/routing.log
!routed,zebra,ospfd,ospf6d,bgpd,watchfrr,miniupnpd,igmpproxy
*.*                                                                     /var/log/routing.log
!ntp,ntpd,ntpdate
*.*                                                                     /var/log/ntpd.log
!ppp
*.*                                                                     /var/log/ppp.log
!poes
*.*                                                                     /var/log/poes.log
!l2tps
*.*                                                                     /var/log/l2tps.log
!charon,ipsec_starter
*.*                                                                     /var/log/ipsec.log
!openvpn
*.*                                                                     /var/log/openvpn.log
!dpinger
*.*                                                                     /var/log/gateways.log
!dnsmasq,named,filterdns,unbound
*.*                                                                     /var/log/resolver.log
!dhcpd,dhcrelay,dhclient,dhcp6c,dhcpleases,dhcpleases6,kea2unbound,kea-dhcp4,kea-dhcp6
*.*                                                                     /var/log/dhcpd.log
!hostapd
*.*                                                             /var/log/wireless.log
!filterlog
*.*                                                             /var/log/filter.log
!logportalauth
*.*                                                             /var/log/portalauth.log
!watchdogd
*.*                                                             /var/log/watchdogd.log
!-bgpd,charon,dhclient,dhcp6c,dhcpd,dhcrelay,dnsmasq,dpinger,filterdns,filterlog,hostapd,igmpproxy,ipsec_starter,kea-dhcp4,kea-dhcp6,unbound,kea2unbound,l2tps,miniupnpd,named,ntp,ntpd,ntpdate,openvpn,ospf6d,ospfd,poes,radvd,routed,watchfrr,zebra,udpbroadcastrelay
local3.*                                                        /var/log/vpn.log
local5.*                                                        /var/log/nginx.log
*.notice;kern.debug;lpr.info;mail.crit;daemon.none;news.err;local0.none;local3.none;local4.none;local7.none;security.*;auth.info;authpriv.info;daemon.info      /var/log/system.log
*.emerg                                                         *

So far, I was not successful.

First of all, I need to verify that I am using the right syntax to exclude certain messages. Any hints here?

 

[SirDice]

I am using FreeBSD 15.0 (pfSense 14.11)

You must be new here.

GhostBSD, pfSense, TrueNAS, and all other FreeBSD Derivatives
Topics about unsupported FreeBSD versions

 

[LaUs3r]

You must be new here.

GhostBSD, pfSense, TrueNAS, and all other FreeBSD Derivatives
Topics about unsupported FreeBSD versions

Yes Sir! Thx for the hint. What's the advice here? Delete the topic and re-open in the correct spot or are you able to move it (to Firewalls, for example)? Sorry for the inconvenience

Btw, I already addressed this topic in the netgate forum, but to my excuse I need to point out that the core issue is a pure FreeBSD question as it's related to the syslog syntax. Given the fact that all hints in the netgate forum were not successful due to lack of FreeBSD knowledge, I created this topic here

 

[ralphbsz]

The people from the negate forum are not wrong: it is a question about (a) syslog syntax, and (b) in what order syslog consumes its config files, and what happens when multiple config lines apply to the same message. And this is way out of my experience messing with syslog.

I am using FreeBSD 15.0 (pfSense 14.11) and I want to suppress/exclude certain syslog messages.

Really FreeBSD 15.0? That's an unsupported and very new version. I'm surprised the pfSense people are basing a system on something that's this uncooked.

I stopped the syslog daemon, deleted the pfSense.conf file and restarted the service. By this, I hoped that the a.conf is used first and the sshd-message is suppressed in /var/log/auth.log

As an experiment, try this: Stop syslog daemon, remove ALL mentions of auth from the pfSense.conf file by editing (without rerunning the GUI), and restart. Then intentionally inject a few auth entries into syslog. See what happens. This might give you an idea of the order the .conf files are read. Then put two contradictory lines into the two .conf files, see what happens.