On 2020-11-27, Harald Dunkel <harald.dun...@aixigo.com> wrote:
> Hi folks,
>
> I got a bazillion of error messages in /var/log/daemon
>
>:
> Nov 27 08:33:25 gate6a pflogd[26893]: Corrupted log file.
> Nov 27 08:33:25 gate6a pflogd[26893]: Invalid/incompatible log file, move it
> away
> Nov 27 08:33:25 gate6a pflogd[26893]: Logging suspended: open error
> Nov 27 08:33:32 gate6a pflogd[2985]: Corrupted log file.
> Nov 27 08:33:32 gate6a pflogd[2985]: Invalid/incompatible log file, move it
> away
> Nov 27 08:33:32 gate6a pflogd[2985]: Logging suspended: open error
>:
>
> Problem is, pflogd doesn't tell which one. I am logging to /var/log/\
> pflog{0..3}. Nothing else but pflogd is writing these files. They are
> rotated every hour, using the default
It is easy enough to add the filename, but adding that to the log
might suggest to users that things are setup to handle multiple pflogd
processes and that is not the case.
Various parts of the system would need changing in order to handle this.
Currently there is no way to distinguish between multiple "priv" processes
as the process title doesn't show the command-line flags. In order to
support multiple pflogd processes this would need adding, then the rc.d
scripts and default newsyslog.conf entry would need updating to use them.
> I can't remember having seen this problem for 6.7.
I think you got lucky.
> (Not to mention that syslog should try to avoid printing the same
> message again and again.)
Some kind of "last 3 messages repeated X times" might be nice indeed,
but every one of the messages you pasted are different (at least different
pid).
> I am legally bound to provide log files, so this is a huge problem.
> Every insightful comment is highly appreciated.
> Harri
>
>
I think it would be better to simplify the setup and use a single log
for pflogd. You can split in postprocessing with commands like this
tcpdump -r /var/log/pflog -w out-vlan2.pcap action block and on vlan2
using whatever BPF filter you like (ports, IP addresses, whatever).
Some people like to run tcpdump all the time to read on the pflog
interface and write in plaintext to syslog in realtime. That is another
possibility but I don't think this is a good idea because it will use
the dissectors in tcpdump to decode the packets, quality of these is not
always great. Better to write pcap files and handle any decoding later
so that if a dissector causes a crash it doesn't stop logging.
