[Bug 285385] man syslog.conf contains an error in examples section (filters usage)
Date: Sun, 23 Mar 2025 17:32:07 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=285385
Jim B. <jpb@jimby.name> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jpb@jimby.name
--- Comment #1 from Jim B. <jpb@jimby.name> ---
TL:DR The 'contains' operator in the example given matches substrings, not
regular expressions. To match "*.Deny.*" in the log entry, change the operator
to 'regex'.
The manual is correct.
This PR can be closed with "Works as intended."
All commands performed as root:
1. the example in /etc/syslog.conf is:
# Log ipfw messages without syncing after every message.
!ipfw
*.* -/var/log/ipfw
# Log ipfw messages with "Deny" in the message body.
:msg, contains, ".*Deny.*"
*.* /var/log/ipfw.deny
These rules were added to /etc/syslog.conf as is.
From my reading of syslog.conf(5), hese two rules are called
"property based filters".
2. Architecture
Firewall +tap0+-------+ Bridge0 +----+tap1+ external1
10.10.10.50 10.10.10.1
3. Setting up ipfw logging:
sysctl net.inet.ip.fw.verbose=1
4. Loading ipfw and creating two rules with logging
kldload ipfwf
ipfw add 1000 allow log icmp from 10.10.10.1 to me
ipfw add 1050 allow log icmp from me to 10.10.10.1
ipfw add 2000 deny log tcp from 10.10.10.1 to me
5. On external1 executing:
ping -c 3 10.10.10.50
telnet 10.10.10.50
yields the following entries:
root@firewall:~ # ipfw show
01000 3 252 allow log icmp from 10.10.10.1 to me
01050 3 252 allow log icmp from me to 10.10.10.1
02000 5 300 deny log tcp from 10.10.10.1 to me
65535 0 0 deny ip from any to any
root@firewall:~ # cat /var/log/ipfw
Mar 23 13:07:33 firewall kernel: ipfw: 1000 Accept ICMP:8.0 10.10.10.1
10.10.10.50 in via em0
Mar 23 13:07:33 firewall kernel: ipfw: 1050 Accept ICMP:0.0 10.10.10.50
10.10.10.1 out via em0
Mar 23 13:07:34 firewall kernel: ipfw: 1000 Accept ICMP:8.0 10.10.10.1
10.10.10.50 in via em0
Mar 23 13:07:34 firewall kernel: ipfw: 1050 Accept ICMP:0.0 10.10.10.50
10.10.10.1 out via em0
Mar 23 13:07:35 firewall kernel: ipfw: 1000 Accept ICMP:8.0 10.10.10.1
10.10.10.50 in via em0
Mar 23 13:07:35 firewall kernel: ipfw: 1050 Accept ICMP:0.0 10.10.10.50
10.10.10.1 out via em0
Mar 23 13:07:39 firewall kernel: ipfw: 2000 Deny TCP 10.10.10.1:18818
10.10.10.50:23 in via em0
Mar 23 13:07:54 firewall syslogd: last message repeated 4 times
root@firewall:~ # cat /var/log/ipfw.deny
root@firewall:~ #
6. The operator in the syslog.conf rule above is 'contains'. This rule is true
if the filter value is found as a substring.
The substring "*.Deny.*" is not found in the the above logs.
If the operator is changed to 'regex' and syslogd restarted:
# Log ipfw messages with "Deny" in the message body.
:msg, regex, ".*Deny.*"
*.* /var/log/ipfw.deny
and the above tests yield these results:
root@firewall:~ # cat /var/log/ipfw
Mar 23 13:26:33 firewall kernel: ipfw: 1000 Accept ICMP:8.0 10.10.10.1
10.10.10.50 in via em0
Mar 23 13:26:33 firewall kernel: ipfw: 1050 Accept ICMP:0.0 10.10.10.50
10.10.10.1 out via em0
Mar 23 13:26:34 firewall kernel: ipfw: 1000 Accept ICMP:8.0 10.10.10.1
10.10.10.50 in via em0
Mar 23 13:26:34 firewall kernel: ipfw: 1050 Accept ICMP:0.0 10.10.10.50
10.10.10.1 out via em0
Mar 23 13:26:35 firewall kernel: ipfw: 1000 Accept ICMP:8.0 10.10.10.1
10.10.10.50 in via em0
Mar 23 13:26:35 firewall kernel: ipfw: 1050 Accept ICMP:0.0 10.10.10.50
10.10.10.1 out via em0
Mar 23 13:26:38 firewall kernel: ipfw: 2000 Deny TCP 10.10.10.1:33826
10.10.10.50:23 in via em0
Mar 23 13:26:46 firewall syslogd: last message repeated 3 times
root@firewall:~ # cat /var/log/ipfw.deny
Mar 23 13:26:38 firewall kernel: ipfw: 2000 Deny TCP 10.10.10.1:33826
10.10.10.50:23 in via em0
Mar 23 13:26:46 firewall syslogd: last message repeated 3 times
The manual is correct.
--
You are receiving this mail because:
You are on the CC list for the bug.