Home > Uncategorized > pfSense: Why can’t I access the latest information of a log file with tail, grep, cat or vi?

pfSense: Why can’t I access the latest information of a log file with tail, grep, cat or vi?

Problem description:

You want to debug the logfiles of a pfSense firewall, but tail, grep, cat or vi do not provide the latest information and always ends with a “CLOG@?|?”:

# cd /var/log/
# tail -10l system.log 
Nov 24 15:33:14 pfsense99 sshd[45576]: error: PAM: authentication error for root from 192.168.210.198
Nov 24 15:33:14 pfsense99 last message repeated 2 times
Nov 24 15:33:14 pfsense99 sshd[45576]: Failed keyboard-interactive/pam for root from 192.168.210.198 port 47927 ssh2
Nov 24 15:33:14 pfsense99 sshd[45576]: Failed password for root from 192.168.210.198 port 47927 ssh2
Nov 24 15:33:14 pfsense99 last message repeated 2 times
Nov 24 15:33:14 pfsense99 sshd[45576]: Failed password for root from 192.168.210.198 port 47927 ssh2
Nov 24 15:34:18 pfsense99 sshd[45741]: error: PAM: authentication error for root from 192.168.210.198
Nov 24 15:34:18 pfsense99 sshd[45741]: error: PAM: authentication error for root from 192.168.210.198
Nov 24 15:34:18 pfsense99 last message repeated 2 times
Nov 24 15:34:18 pfsense99 sshd[45741]: Failed keyboard-interactive/pam for root fromCLOG@?|?# 
# 
# date
Thu Nov 24 19:15:38 CET 2011
#

 
Problem resolution:
pfSense writes its log information in a circular log format in order to keep a constant size. This prevents filesystem fillup, but also restricts you from using your standard shell tools to access the data inside these logfiles. Instead of using tail, grep, cat or vi directly, you should first access the log file with a command called “clog”:

# clog system.log 
2
Nov 24 12:59:08 pfsense99 sshd[20315]: error: PAM: authentication error for root from 192.168.210.198
...
...
...
Nov 24 19:15:42 pfsense99 sshd[20501]: Accepted publickey for root from 192.168.210.198 port 38451 ssh2
Nov 24 19:15:42 pfsense99 sshd[20503]: Accepted publickey for root from 192.168.210.198 port 38452 ssh2
#

 
clog also provides a follow option like tail:

# clog -f system.log 
...
...
...
Nov 24 19:15:42 pfsense99 sshd[20501]: Accepted publickey for root from 192.168.210.198 port 38451 ssh2
Nov 24 19:15:42 pfsense99 sshd[20503]: Accepted publickey for root from 192.168.210.198 port 38452 ssh2

 
If you want to grep for specific messages, just add a pipe and a grep:

# clog system.log | grep "keyboard-interactive"
Nov 24 19:15:09 pfsense99 sshd[16616]: Accepted keyboard-interactive/pam for root from 192.168.210.198 port 45104 ssh2
#

 

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.

Connect with Facebook