On Nov 28 16:13:35, [email protected] wrote:
> On 2020-11-27, Harald Dunkel <[email protected]> wrote:
> > Hi folks,
> >
> > I got a bazillion of error messages in /var/log/daemon
> >
> >:
> > Nov 27 08:33:25 gate6a pflogd[26893]: Corrupted log file.
> > Nov 27 08:33:25 gate6a pflogd[26893]: Invalid/incompatible log file, move
> > it away
> > Nov 27 08:33:25 gate6a pflogd[26893]: Logging suspended: open error
> > Nov 27 08:33:32 gate6a pflogd[2985]: Corrupted log file.
> > Nov 27 08:33:32 gate6a pflogd[2985]: Invalid/incompatible log file, move it
> > away
> > Nov 27 08:33:32 gate6a pflogd[2985]: Logging suspended: open error
> >:
> >
> > Problem is, pflogd doesn't tell which one. I am logging to /var/log/\
> > pflog{0..3}. Nothing else but pflogd is writing these files. They are
> > rotated every hour, using the default
>
> It is easy enough to add the filename, but adding that to the log
> might suggest to users that things are setup to handle multiple pflogd
> processes and that is not the case.
>
> Various parts of the system would need changing in order to handle this.
> Currently there is no way to distinguish between multiple "priv" processes
> as the process title doesn't show the command-line flags. In order to
> support multiple pflogd processes this would need adding, then the rc.d
> scripts and default newsyslog.conf entry would need updating to use them.
>
> > I can't remember having seen this problem for 6.7.
>
> I think you got lucky.
Maybe I got lucky too - please help me understand.
I have two pflog interfaces: pflog0 (created by default)
and pflog1 (created with 'up' in /etc/hostname.pflog1).
pflgo0 logs the suspicious network traffic aimed at my machine:
block log all
# pass legit stuff
pflog1 logs all the SIP traffic to and from my SIP phone
(on an internal network):
match in log (all, to pflog1) on $int from $sip
match out log (all, to pflog1) on $int to $sip
There are two corresponding pflogd processes: one is started
with pflogd_flags="-s 1500" in /etc/rc.conf.local, and becomes
13680 pflogd: [running] -s 1500 -i pflog0 -f /var/log/pflog
84985 pflogd: [priv]
The other is started in /etc/rc.local as
/sbin/pflogd -s 1500 -i pflog1 -f /var/log/siplog
which runs
10562 pflogd: [running] -s 1500 -i pflog1 -f /var/log/siplog
94396 pflogd: [priv]
The two log files (/var/log/pflog, /var/log/siplog)
are rotated as follows:
/var/log/pflog 600 3650 * @T00 ZB "pkill -HUP -u root -U root -t - -x pflogd"
/var/log/siplog 600 3650 * @T00 ZB "pkill -HUP -u root -U root -t - -x pflogd"
I have had the same messages as the OP describes,
until I realized I missed the B iz 'ZB' for siplog,
which indeed rendered the file 'invalid' on rotation
because of the textual 'logfile turned over' message.
Since fixing that, I haven't had seen the message
(that would be a couple of weeks now).
If I'm reading you right, the rotation sends a SIGHUP to each
of the pflogd processes; twice, in fact: after rotating each
of the two files. Is that the case?
That would indeed be a problem; namely, it would break the nice
sequence of one rotated logfile per day.
However, looking at the timestamps of the few first and last entries
in pflog.1, pflog.0 and pflog (and, similarly, siplog{1,0,}), they
seem to follow one another as they should - one beginning just
where the previous one ends, none of them rotated empty.
If I read the newsyslog lines right, each of
13680 pflogd: [running] -s 1500 -i pflog0 -f /var/log/pflog
84985 pflogd: [priv]
10562 pflogd: [running] -s 1500 -i pflog1 -f /var/log/siplog
94396 pflogd: [priv]
is getting HUP'd, right? Would it be enough to HUP the [running] child?
|-+= 84985 root pflogd: [priv] (pflogd)
| \--- 13680 _pflogd pflogd: [running] -s 1500 -i pflog0 -f /var/log/pflog
(pflogd)
|-+= 94396 root pflogd: [priv] (pflogd)
| \--- 10562 _pflogd pflogd: [running] -s 1500 -i pflog1 -f /var/log/siplog
(pflogd)
Probably not, based on what you said about [priv]; but the [running]
processes can be distinguished in newsyslog.conf with "pkill -xf pflog0".
Jan
