On 2020-11-27, Harald Dunkel <[email protected]> wrote: > Hi folks, > > I got a bazillion of error messages in /var/log/daemon > >: > Nov 27 08:33:25 gate6a pflogd[26893]: Corrupted log file. > Nov 27 08:33:25 gate6a pflogd[26893]: Invalid/incompatible log file, move it > away > Nov 27 08:33:25 gate6a pflogd[26893]: Logging suspended: open error > Nov 27 08:33:32 gate6a pflogd[2985]: Corrupted log file. > Nov 27 08:33:32 gate6a pflogd[2985]: Invalid/incompatible log file, move it > away > Nov 27 08:33:32 gate6a pflogd[2985]: Logging suspended: open error >: > > Problem is, pflogd doesn't tell which one. I am logging to /var/log/\ > pflog{0..3}. Nothing else but pflogd is writing these files. They are > rotated every hour, using the default
It is easy enough to add the filename, but adding that to the log might suggest to users that things are setup to handle multiple pflogd processes and that is not the case. Various parts of the system would need changing in order to handle this. Currently there is no way to distinguish between multiple "priv" processes as the process title doesn't show the command-line flags. In order to support multiple pflogd processes this would need adding, then the rc.d scripts and default newsyslog.conf entry would need updating to use them. > I can't remember having seen this problem for 6.7. I think you got lucky. > (Not to mention that syslog should try to avoid printing the same > message again and again.) Some kind of "last 3 messages repeated X times" might be nice indeed, but every one of the messages you pasted are different (at least different pid). > I am legally bound to provide log files, so this is a huge problem. > Every insightful comment is highly appreciated. > Harri > > I think it would be better to simplify the setup and use a single log for pflogd. You can split in postprocessing with commands like this tcpdump -r /var/log/pflog -w out-vlan2.pcap action block and on vlan2 using whatever BPF filter you like (ports, IP addresses, whatever). Some people like to run tcpdump all the time to read on the pflog interface and write in plaintext to syslog in realtime. That is another possibility but I don't think this is a good idea because it will use the dissectors in tcpdump to decode the packets, quality of these is not always great. Better to write pcap files and handle any decoding later so that if a dissector causes a crash it doesn't stop logging.
