Solved newsyslogd / pflogd : daily logfiles for pf

Hi Forum,


I'm running PF on some FreeBSD 11.x installs and I would very much like to have daily logfiles containing the entries that land up in the pflog device.
The FreeBSD installs are all 11.1 or 11.2 (binary, no custom kernel etc).

I'm having trouble switching from "max size" rotation to "once a day, regardless of size" rotation.

My pflog entry in /etc/newsyslog.conf looked like this:

Code:
/var/log/pflog      600  3    100    @T00 JB    /var/run/pflogd.pid


and after my attempted change now looks like this:

Code:
/var/log/pflog      600  30    *    @T00 JB    /var/run/pflogd.pid


but no new /var/log/pflog.0.bz2 files are created anymore. If I run the newsyslog binary manually like this :

/usr/sbin/newsyslog -vCF

then the /var/log/pflog.* files are created / rotated.

Could somebody perhaps shed some light on what I'm doing wrong here?

Any help appreciated!


Kind regards,


Ruben
 
Does this still work for any other logfiles? Considering that the syntax looks good to me at first glance I'm starting to wonder if cron is actually active on your server or if it might have been misconfigured.

What does grep newsys /etc/crontab tell you? And # service cron status?
 
Hi ShelLuser,

They look OK :

grep newsys /etc/crontab
0 * * * * root newsyslog


service cron status
cron is running as pid 2122.


Upon closer inspection, this entry doesn't seem to function either:

Code:
/var/log/messages                       644  90    *    @0101T JC

I've added the -v option to /etc/crontab so that it reads:

Code:
0       *       *       *       *       root    newsyslog -v

perhaps the more verbose logging will turn anything up....
 
Well, I'm becoming convinced that the cause for your problems might not be directly related to newsyslog yet could also be something else. Of course based on the information you've been sharing so far.

How did you even conclude that things stopped working? Moved all archives out of the way and then noticed no new ones getting generated? Because I can't really reproduce much problems. Definitely not with the default rules, such as the one for /var/log/messages.

The only theory I have is that a (too?) high number of archives might be picked up incorrectly but that should be testable quite easily.
 
Hi ShelLuser,

If I have a look at all pflog logs:


ls -lhat /var/log/pflog*
-rw------- 1 root wheel 3.1K Aug 8 11:27 /var/log/pflog
-rw------- 1 root wheel 55K May 31 12:00 /var/log/pflog.0.bz2
-rw------- 1 root wheel 1.5K Apr 27 11:30 /var/log/pflog.1.bz2
-rw------- 1 root wheel 587B Apr 27 11:28 /var/log/pflog.2.bz2


i concluded that rotation must've stopped working correctly (or else i'd expect to see 30 pflog.x.bz2 files).

Now, the output of the newsyslog -vvvv cronjob that should have rotated the file was:


/var/log/pflog <30J>: does not exist, skipped.


while it most certainly exists:

ls -laht /var/log/pflog
-rw------- 1 root wheel 24B Aug 8 11:35 /var/log/pflog


getfacl /var/log/pflog
# file: /var/log/pflog
# owner: root
# group: wheel
user::rw-
group::---
other::---


Perhaps the automatic flush from pflogd occurs at the very same second newsyslog is trying to rotate the file ? (little far fetched and more ppl should've run into this issue I guess :( )

Ill go looking for a system where I can reproduce this issue (and perhaps try a smaller value of 10 in stead of 90).
 
Definitely not with the default rules, such as the one for /var/log/messages.

It seems /var/log/messages is beeing handled by newsyslog correctly , but my configuration entry is just not correct:


# newsyslog -nvvvv | grep messages
/var/log/messages <90J>: --> will trim at Mon Dec 31 23:00:00 2018


Ill switch that one to '@T00' which will probably provide the intended result.
 
Hi,

/var/log/messages rotated perfectly after the adjustment.

Somebody contacted me in response to a thread on the mailing lists which I started. After a lot of troubleshooting (offering various insights), the culprit was eventually identified as an old shellscript that still ran every 5 minutes that did some sort of rotation attempt as well.

With that shellscript out of the way (which bluntly removed the /var/log/pflog file just before newsyslog's attempt to rotate it) things work just like they should.

Case closed :)
 
Back
Top