logs have date/time and hostname twice

[netprince]

Hey All,

I am running TrueNAS-12.0-U2.1 on an iX-4236P.

I am required to enable remote syslog. That part works fine, but I noticed some services (sshd, smbd_audit) log with a non-standard syslog line. The line has the date/time and hostname twice. The local logs have date/time and hostname twice as well. Here is an example:

Code:

Mar 10 03:00:02 everest-zfs 1 2021-03-10T03:00:02.325446-05:00 everest-zfs.ad.*** sshd 18121 - - pam_winbind(sshd): user 'root' OK
Mar 11 03:00:00 everest-zfs 1 2021-03-11T03:00:00.197145-05:00 everest-zfs.ad.*** sshd 37583 - - pam_winbind(sshd): user 'root' not found
Mar 11 03:00:00 everest-zfs 1 2021-03-11T03:00:00.198409-05:00 everest-zfs.ad.*** sshd 37583 - - pam_winbind(sshd): PAM_ESTABLISH_CRED not implemented
Mar 11 03:00:00 everest-zfs 1 2021-03-11T03:00:00.246172-05:00 everest-zfs.ad.*** sshd 37598 - - pam_winbind(sshd): PAM_REINITIALIZE_CRED not implemented

...

Mar 11 12:41:29 everest-zfs 1 2021-03-11T12:41:29.014812-05:00 everest-zfs.ad.*** smbd_audit 46012 - - *USERNAME*|192.168.84.1|chdir|ok|chdir|/
Mar 11 12:41:29 everest-zfs 1 2021-03-11T12:41:29.014848-05:00 everest-zfs.ad.*** smbd_audit 46012 - - *USERNAME*|192.168.84.1|disconnect|ok|admin
Mar 11 12:41:40 everest-zfs 1 2021-03-11T12:41:40.328341-05:00 everest-zfs.ad.*** smbd_audit 46014 - - *USERNAME*|192.168.84.1|connect|ok|admin
Mar 11 12:41:40 everest-zfs 1 2021-03-11T12:41:40.355262-05:00 everest-zfs.ad.*** smbd_audit 46014 - - *USERNAME*|192.168.84.1|chdir|ok|chdir|/mnt/everest-zfs/essential/shares/admin

Not all services are doing this.

Is there some way to prevent this? I need just the first date/time and hostname.

Thanks!

 

[netprince]

Bump... hopefully someone sees this and knows that to do...

 

[anodos]

Samba is putting an RFC5424 timestamp into the message string before sending to debug backend (in this case syslog). See lib/debug. There are various settings for smb.conf related to logging to fine-tune as desired (and can be added as auxiliary parameters for Services->SMB). Look here about: https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#DEBUGHIRESTIMESTAMP

PAM messages can be gotten rid of by disabling "verbose logging" in the AD form.

 

[netprince]

Thank you for the response.

I disabled the samba timestamps, and it did disable the timestamps recorded in /var/log/samba/* ... but that did not affect the syslog messages generated by the 'full_audit' vfs object. These are the parameters I tried:

Code:

debug prefix timestamp = no
timestamp logs = no

Seems to me the additional timestamps are added by freenas somehow. They have the exact same format, and seem to be applied to all the services I have enabled.

 

[netprince]

Bump... this really messes up central logging... thanks

 

[elorimer]

I've seen this with my remote logging as well. I assumed it was something syslog-ng was doing on the remote log, but I've never been able to fix it on that side. Never thought it might be in the sending.

 

[f4242]

Hi,

I have the exact same problem. Did you found a solution?

Thanks.

 

[elorimer]

Hi,

I have the exact same problem. Did you found a solution?

Thanks.

No, I never did. I have logs coming into one syslog-ng server from five different sources, but only the TrueNAS sources have this problem. I haven't monkeyed with the syslog-ng.conf logging statement to introduce a template, but I've tried on the syslog-ng server to rewrite the messages without any success.

 

[f4242]

No, I never did. I have logs coming into one syslog-ng server from five different sources, but only the TrueNAS sources have this problem. I haven't monkeyed with the syslog-ng.conf logging statement to introduce a template, but I've tried on the syslog-ng server to rewrite the messages without any success.

Yeah this is what I'm tryring to do too on our central rsyslog. Didn't succeeded yet haha.