From owner-freebsd-pf@FreeBSD.ORG Tue Aug 28 10:43:02 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A061B16A417 for ; Tue, 28 Aug 2007 10:43:02 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [IPv6:2001:6f8:1098::2]) by mx1.freebsd.org (Postfix) with ESMTP id 459B913C467 for ; Tue, 28 Aug 2007 10:43:02 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id l7SAgliM028887 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Tue, 28 Aug 2007 12:42:47 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id l7SAgl9O016152; Tue, 28 Aug 2007 12:42:47 +0200 (MEST) Date: Tue, 28 Aug 2007 12:42:47 +0200 From: Daniel Hartmeier To: jonathan michaels Message-ID: <20070828104247.GG18273@insomnia.benzedrine.cx> References: <20070828201942.07894@caamora.com.au> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20070828201942.07894@caamora.com.au> User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf Subject: Re: pflogd and newsyslog messages X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Aug 2007 10:43:02 -0000 On Tue, Aug 28, 2007 at 08:19:42PM +1000, jonathan michaels wrote: > Aug 25 00:00:02 ???????? pflogd[350]: [priv]: msg PRIV_OPEN_LOG received > Aug 26 00:00:02 ???????? pflogd[350]: [priv]: msg PRIV_OPEN_LOG received > Aug 27 00:00:02 ???????? pflogd[350]: [priv]: msg PRIV_OPEN_LOG received > Aug 28 00:00:02 ???????? pflogd[350]: [priv]: msg PRIV_OPEN_LOG received These are perfectly normal. Once every hour, per /etc/crontab, your cron(8) is calling newsyslog(8) to rotate log files according to /etc/newsyslog.conf, which by default contains # logfilename [owner:group] mode count size when flags [/pid_file] [sig_num] /var/log/pflog 600 3 100 * JB /var/run/pflogd.pid If an invokation finds /var/log/pflog larger than 100 kB, it will rotate the file (rename the old file, create a new empty one) and send the pflogd process a SIGHUP signal. The signal tells pflogd to re-open its log file. This is necessary because the process doesn't open and close the file each time it appends an entry, but opens the file only once on startup and keeps appending through the open file handle. Without a signal, pflogd wouldn't close and reopen the log file, and continue appending to the old file. Depending on how newsyslog rotated it, that would mean either that the old file would continue to grow or an unlinked file (not visible with ls(1)) would grow until the last open file handle to it is closed (when pflogd dies). pflogd is logging the receiption the signal with the debug message you quoted above. Usually, you wouldn't log debug level messages to a file, but you must have edited /etc/syslog.conf to do so. So, if the messages bother you, either don't log *.debug or specifically exclude pflogd. Daniel