Netgate SG-1000 microFirewall

Author Topic: System logs still a mess on 2.2.1  (Read 1078 times)

0 Members and 1 Guest are viewing this topic.

Offline Mr. Jingles

  • Hero Member
  • *****
  • Posts: 1039
  • Karma: +88/-10
    • View Profile
    • The FreeBSD Foundation
System logs still a mess on 2.2.1
« on: April 15, 2015, 04:58:43 am »
This has been the case ever since 2.0. I am now on 2.2.1, and still the 'spontaneous', unsollicited, mixing of rules and their descriptions is happening.

An example is attached. No rule description, and why that rule clutters up my log is a mystery to me; I didn't tell pfSense to log these things. I only told it to log my explicit block rules and some explicit pass rules for monitoring if VPN works.

Then the second problem: sometimes (often) we see a block with a rule description that is total nonsense. For example: it blocks out, and then the rule description is "allow LAN out".

So the log is still useless after all these years. Can this please (please?  :-* ) by fixed?

Offline phil.davis

  • Hero Member
  • *****
  • Posts: 4581
  • Karma: +539/-3
    • View Profile
    • International Nepal Fellowship
Re: System logs still a mess on 2.2.1
« Reply #1 on: April 15, 2015, 06:00:20 am »
There is a known issue with IGMP packets being logged even though no logging is on for any rule that would match those packets.
It has been clogging up the filter.log for some time, but was not seen on the GUI Firewall Log display. I fixed the Firewall Log display so it shows everything that is in the actual filter.log - but so far the underlying cause of the unwanted log entries is not resolved.
https://redmine.pfsense.org/issues/4383
As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

Offline Mr. Jingles

  • Hero Member
  • *****
  • Posts: 1039
  • Karma: +88/-10
    • View Profile
    • The FreeBSD Foundation
Re: System logs still a mess on 2.2.1
« Reply #2 on: April 15, 2015, 01:46:47 pm »
I fixed the Firewall Log display so it shows everything that is in the actual filter.log - but so far the underlying cause of the unwanted log entries is not resolved.
https://redmine.pfsense.org/issues/4383

Nice to hear from you again Phil  :-*

What do you mean with 'fixed'? Fixed what? (sorry, didn't understand it  :-[ ).

Aside from that: there's also the issue of the logs being worthless since descriptions don't match actual rule fired. Here since 2.0. I posted this before somewhere, and got numerous replies from other members, also the Sr.'s, that this is a mess.

Why don't we fix something as vitally important as logs? Over at SAP we did this differently. We're here in the INFORMATION business. That starts with proper *information*.

Offline phil.davis

  • Hero Member
  • *****
  • Posts: 4581
  • Karma: +539/-3
    • View Profile
    • International Nepal Fellowship
Re: System logs still a mess on 2.2.1
« Reply #3 on: April 15, 2015, 01:56:07 pm »
Quote
What do you mean with 'fixed'? Fixed what?
The actual filter.log where the real firewall log messages are written actually had the (unwanted) IGMP log records in it. That was filling filter.log anyway.
The code that reads filter.log and formats and displays the content on the GUI had a problem understanding IGMP protocol log records. So the IGMP logs were not being shown on the GUI. I fixed that problem - now the user sees the same on the GUI display as what is in the real log file.
As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

Offline Mr. Jingles

  • Hero Member
  • *****
  • Posts: 1039
  • Karma: +88/-10
    • View Profile
    • The FreeBSD Foundation
Re: System logs still a mess on 2.2.1
« Reply #4 on: April 19, 2015, 04:35:27 am »
Quote
What do you mean with 'fixed'? Fixed what?
The actual filter.log where the real firewall log messages are written actually had the (unwanted) IGMP log records in it. That was filling filter.log anyway.
The code that reads filter.log and formats and displays the content on the GUI had a problem understanding IGMP protocol log records. So the IGMP logs were not being shown on the GUI. I fixed that problem - now the user sees the same on the GUI display as what is in the real log file.

Thanks Phil  ;D

So did you 'hack' something in the code, or is this supposed to be the official release? (I'm on 2.2.1). What I am meaning to say is: how can I make it go away?


Offline doktornotor

  • Hero Member
  • *****
  • Posts: 8230
  • Karma: +856/-229
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: System logs still a mess on 2.2.1
« Reply #5 on: April 19, 2015, 04:37:59 am »
What I am meaning to say is: how can I make it go away?

You cannot make it go away from the log. You can make it go "away" from the GUI by reverting the fix.
Do NOT PM for help!

Offline Mr. Jingles

  • Hero Member
  • *****
  • Posts: 1039
  • Karma: +88/-10
    • View Profile
    • The FreeBSD Foundation
Re: System logs still a mess on 2.2.1
« Reply #6 on: April 19, 2015, 04:40:49 am »
And a polite question to the admins/devs on this board:

When are these logs going to be fixed as to the wrong descriptions?

Rule16 has the description of Rule488.

I vaguely recall having brought this up in the past, and one of the admins then replied 'this is logical, by design', and then something about 'when the firewall rules are reloaded' (apologies, still doing this from memory).

You will have to excuse me: it is not logical, and hopefully not design.

I have extensive experience in SAP: you could not even imagine the description of article1 being mixed up with that of article1900 being called 'design' instead of a big fat bug.

(Well, actually, you can imagine that if you outsource your development to some of these 'highly skilled' of shore 'IT-specialists' who only the day before working for your project as a 'Sr. expert' was still walking goats in the field  ;D ;D ;D

Trust me: 'been there, 've seen all the blatant lies in this 'off shoring = good for you' hype. Was one of the guys who had to clean up messes like that  8) ).

Offline Mr. Jingles

  • Hero Member
  • *****
  • Posts: 1039
  • Karma: +88/-10
    • View Profile
    • The FreeBSD Foundation
Re: System logs still a mess on 2.2.1
« Reply #7 on: April 19, 2015, 04:41:32 am »
What I am meaning to say is: how can I make it go away?

You cannot make it go away from the log. You can make it go "away" from the GUI by reverting the fix.

Thanks Dok ;D

But I didn't apply a fix. So in the official 2.2.1 was the 'fix' that arranged this bug?

Offline doktornotor

  • Hero Member
  • *****
  • Posts: 8230
  • Karma: +856/-229
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: System logs still a mess on 2.2.1
« Reply #8 on: April 19, 2015, 05:10:05 am »
Well, I do not know how to make it more explicit. The fix ONLY makes VISIBLE what ALREADY WAS THERE. Someone thought it'd be awesome to have hidden rule to log all packets with IP options set or similar nonsense. (Also, the wrong descriptions are a symptom of this "feature" with things like pfBNG.)
Do NOT PM for help!

Offline Mr. Jingles

  • Hero Member
  • *****
  • Posts: 1039
  • Karma: +88/-10
    • View Profile
    • The FreeBSD Foundation
Re: System logs still a mess on 2.2.1
« Reply #9 on: April 19, 2015, 05:26:18 am »
Well, I do not know how to make it more explicit. The fix ONLY makes VISIBLE what ALREADY WAS THERE. Someone thought it'd be awesome to have hidden rule to log all packets with IP options set or similar nonsense. (Also, the wrong descriptions are a symptom of this "feature" with things like pfBNG.)

Sorry Dok, you know I am stupid: what fix?

I mean: I don't care that it is there somewhere in some *.log, I don't want to see it in the GUI.

So this fix was contained in an official upgrade somewhere?

From 2.1.5 -> 2.2.0?

Or from 2.2.0 -> 2.2.1? (I skipped 2.2.0, too many bugs).

So reverting that 'fix' means doing that scary stuff with github and patches? (Possibly breaking something else).

The firewall description may be related to this, but this is not the sole cause then: this completely useless log has been there as long as I use 2.0+, way long before this 224-nonsense.


Offline doktornotor

  • Hero Member
  • *****
  • Posts: 8230
  • Karma: +856/-229
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: System logs still a mess on 2.2.1
« Reply #10 on: April 19, 2015, 05:29:53 am »
Sorry Dok, you know I am stupid: what fix?

This: https://redmine.pfsense.org/issues/4343

If you still don't understand, then tough cookies, simply live with it.
Do NOT PM for help!

Offline Mr. Jingles

  • Hero Member
  • *****
  • Posts: 1039
  • Karma: +88/-10
    • View Profile
    • The FreeBSD Foundation
Re: System logs still a mess on 2.2.1
« Reply #11 on: April 19, 2015, 06:21:33 am »
Sorry Dok, you know I am stupid: what fix?

This: https://redmine.pfsense.org/issues/4343

If you still don't understand, then tough cookies, simply live with it.

This I understood  ;D

So I hope in Target version 2.2.3 this bug will be fixed again.

Offline doktornotor

  • Hero Member
  • *****
  • Posts: 8230
  • Karma: +856/-229
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: System logs still a mess on 2.2.1
« Reply #12 on: April 19, 2015, 07:06:21 am »
Yeah, I hope as well... it's not really just the log noise. Screws other areas as well.
Do NOT PM for help!

Offline phil.davis

  • Hero Member
  • *****
  • Posts: 4581
  • Karma: +539/-3
    • View Profile
    • International Nepal Fellowship
Re: System logs still a mess on 2.2.1
« Reply #13 on: April 19, 2015, 11:53:46 am »
I happened to want to see some IGMP packets logged at the time. They did not show up in the Firewall Log GUI, then I looked in the actual filter.log file and found they were actually there. So I made the fix to the Firewall Log GUI so it would display the IGMP in the GUI:
https://github.com/pfsense/pfsense/pull/1456/files
That went into whatever releases came out after 31 Jan 2015.
You can manually remove those 3 lines of code if you like, but the IGMP rubbish is still going in the real log file and if there is a lot of it then the real logs you are interested in will tend to "fall off the back".
Then I realised there were more IGMP packets in the Firewall Log than I expected/asked for/wanted - even when I turned logging off on various rules I still got IGMP packets. So I raised a Redmine bug about that:
https://redmine.pfsense.org/issues/4383
That has not been fixed - until there is a fix for that, those of us who have devices that are emitting IGMP packets in any quantity can have our firewall log overwhelmed by unwanted IGMP packets being logged.
As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/