newsyslog: can't fopen /var/log/pflog for reading: No such file or directory

ProServ

Active Member

Reaction score: 4
Messages: 182

Hi, have been getting nightly root email about:
Code:
newsyslog: can't fopen /var/log/pflog for reading: No such file or directory
However the file definitely exists:
Code:
# ll /var/log/pflog
-rw-------  1 root  wheel  540 Jul 20 12:21 /var/log/pflog

# file /var/log/pflog
/var/log/pflog: pcap capture file, microsecond ts (little-endian) - version 2.4 (OpenBSD PFLOG, capture length 116)
Any suggestions to get this working?'
Thanks.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,018
Messages: 38,467

What are the permissions on /var/ and /var/log?
 
OP
P

ProServ

Active Member

Reaction score: 4
Messages: 182

What are the permissions on /var/ and /var/log?
Hi SirDice,
Code:
drwxr-xr-x  29 root  wheel  1024 Jun 21 04:57 /var
drwxr-xr-x  6 root  wheel  3072 Jul 21 02:25 /var/log
-rw-------  1 root  wheel  1972 Jul 21 02:28 /var/log/pflog
Thanks SirDice!
 

Tieks

Active Member

Reaction score: 107
Messages: 249

If newsyslog is indeed running as root, it should be able to open /var/log/pflog with these permissions. Except when pflogd opened that file exclusively for writing. What does your entry for pflogd in /etc/newsyslog.conf look like?
 
OP
P

ProServ

Active Member

Reaction score: 4
Messages: 182

If newsyslog is indeed running as root, it should be able to open /var/log/pflog with these permissions. Except when pflogd opened that file exclusively for writing. What does your entry for pflogd in /etc/newsyslog.conf look like?
There is no entry for pflogd.
 
OP
P

ProServ

Active Member

Reaction score: 4
Messages: 182

After looking at /etc/newsyslog not seeing any entry for pflog, added it :
Code:
/var/log/pflog      600  30    *    @T00 JB    /var/run/pflogd.pid
and ran: # newsyslog -vCF
Hopefully it's now fixed.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,018
Messages: 38,467

It's been split off to /etc/newsyslog.conf.d/pf.conf:
Code:
# $FreeBSD$
/var/log/pflog                          600  3     1000 *     JB    /var/run/pflogd.pid

The last two lines in /etc/newsyslog.conf load extra configuration files from /etc/newsyslog.conf.d and /usr/local/etc/newsyslog.conf.d:
Code:
<include> /etc/newsyslog.conf.d/[!.]*.conf
<include> /usr/local/etc/newsyslog.conf.d/[!.]*.conf
 
OP
P

ProServ

Active Member

Reaction score: 4
Messages: 182

/etc/newsyslog.conf.d has pf.conf and pf.conf has
/var/log/pflog 600 3 1000 * JB /var/run/pflogd.pid

I presume the above has been for some time as I did not add that line. But it doesn't work as it says no such file..

So what else is causing it to say:
newsyslog: can't fopen /var/log/pflog for reading: No such file or directory

because that file IS there.

I did add to /etc/newsyslog.conf yesterday,
/var/log/pflog 600 30 * @T00 JB /var/run/pflogd.pid

The mail containing the error of no such file was from July 20. In today's email I did not see that error.

Thanks.
 
Top