pflogd and newsyslog messages
Daniel Hartmeier
daniel at benzedrine.cx
Tue Aug 28 03:43:02 PDT 2007
On Tue, Aug 28, 2007 at 08:19:42PM +1000, jonathan michaels wrote:
> Aug 25 00:00:02 ???????? pflogd[350]: [priv]: msg PRIV_OPEN_LOG received
> Aug 26 00:00:02 ???????? pflogd[350]: [priv]: msg PRIV_OPEN_LOG received
> Aug 27 00:00:02 ???????? pflogd[350]: [priv]: msg PRIV_OPEN_LOG received
> Aug 28 00:00:02 ???????? pflogd[350]: [priv]: msg PRIV_OPEN_LOG received
These are perfectly normal. Once every hour, per /etc/crontab, your
cron(8) is calling newsyslog(8) to rotate log files according to
/etc/newsyslog.conf, which by default contains
# logfilename [owner:group] mode count size when flags [/pid_file] [sig_num]
/var/log/pflog 600 3 100 * JB /var/run/pflogd.pid
If an invokation finds /var/log/pflog larger than 100 kB, it will rotate
the file (rename the old file, create a new empty one) and send the
pflogd process a SIGHUP signal. The signal tells pflogd to re-open its
log file. This is necessary because the process doesn't open and close
the file each time it appends an entry, but opens the file only once on
startup and keeps appending through the open file handle. Without a
signal, pflogd wouldn't close and reopen the log file, and continue
appending to the old file. Depending on how newsyslog rotated it, that
would mean either that the old file would continue to grow or an
unlinked file (not visible with ls(1)) would grow until the last open
file handle to it is closed (when pflogd dies).
pflogd is logging the receiption the signal with the debug message you
quoted above. Usually, you wouldn't log debug level messages to a file,
but you must have edited /etc/syslog.conf to do so. So, if the messages
bother you, either don't log *.debug or specifically exclude pflogd.
Daniel
More information about the freebsd-pf
mailing list