logs have date/time and hostname twice

netprince

Cadet
Joined
Aug 6, 2019
Messages
9
Hey All,

I am running TrueNAS-12.0-U2.1 on an iX-4236P.

I am required to enable remote syslog. That part works fine, but I noticed some services (sshd, smbd_audit) log with a non-standard syslog line. The line has the date/time and hostname twice. The local logs have date/time and hostname twice as well. Here is an example:


Code:
Mar 10 03:00:02 everest-zfs 1 2021-03-10T03:00:02.325446-05:00 everest-zfs.ad.*** sshd 18121 - - pam_winbind(sshd): user 'root' OK
Mar 11 03:00:00 everest-zfs 1 2021-03-11T03:00:00.197145-05:00 everest-zfs.ad.*** sshd 37583 - - pam_winbind(sshd): user 'root' not found
Mar 11 03:00:00 everest-zfs 1 2021-03-11T03:00:00.198409-05:00 everest-zfs.ad.*** sshd 37583 - - pam_winbind(sshd): PAM_ESTABLISH_CRED not implemented
Mar 11 03:00:00 everest-zfs 1 2021-03-11T03:00:00.246172-05:00 everest-zfs.ad.*** sshd 37598 - - pam_winbind(sshd): PAM_REINITIALIZE_CRED not implemented

...

Mar 11 12:41:29 everest-zfs 1 2021-03-11T12:41:29.014812-05:00 everest-zfs.ad.*** smbd_audit 46012 - - *USERNAME*|192.168.84.1|chdir|ok|chdir|/
Mar 11 12:41:29 everest-zfs 1 2021-03-11T12:41:29.014848-05:00 everest-zfs.ad.*** smbd_audit 46012 - - *USERNAME*|192.168.84.1|disconnect|ok|admin
Mar 11 12:41:40 everest-zfs 1 2021-03-11T12:41:40.328341-05:00 everest-zfs.ad.*** smbd_audit 46014 - - *USERNAME*|192.168.84.1|connect|ok|admin
Mar 11 12:41:40 everest-zfs 1 2021-03-11T12:41:40.355262-05:00 everest-zfs.ad.*** smbd_audit 46014 - - *USERNAME*|192.168.84.1|chdir|ok|chdir|/mnt/everest-zfs/essential/shares/admin


Not all services are doing this.

Is there some way to prevent this? I need just the first date/time and hostname.

Thanks!
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,553
Samba is putting an RFC5424 timestamp into the message string before sending to debug backend (in this case syslog). See lib/debug. There are various settings for smb.conf related to logging to fine-tune as desired (and can be added as auxiliary parameters for Services->SMB). Look here about: https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#DEBUGHIRESTIMESTAMP

PAM messages can be gotten rid of by disabling "verbose logging" in the AD form.
 

netprince

Cadet
Joined
Aug 6, 2019
Messages
9
Thank you for the response.

I disabled the samba timestamps, and it did disable the timestamps recorded in /var/log/samba/* ... but that did not affect the syslog messages generated by the 'full_audit' vfs object. These are the parameters I tried:

Code:
debug prefix timestamp = no
timestamp logs = no


Seems to me the additional timestamps are added by freenas somehow. They have the exact same format, and seem to be applied to all the services I have enabled.
 

elorimer

Contributor
Joined
Aug 26, 2019
Messages
194
I've seen this with my remote logging as well. I assumed it was something syslog-ng was doing on the remote log, but I've never been able to fix it on that side. Never thought it might be in the sending.
 

f4242

Explorer
Joined
Mar 16, 2017
Messages
97
Hi,

I have the exact same problem. Did you found a solution?

Thanks.
 

elorimer

Contributor
Joined
Aug 26, 2019
Messages
194
Hi,

I have the exact same problem. Did you found a solution?

Thanks.
No, I never did. I have logs coming into one syslog-ng server from five different sources, but only the TrueNAS sources have this problem. I haven't monkeyed with the syslog-ng.conf logging statement to introduce a template, but I've tried on the syslog-ng server to rewrite the messages without any success.
 

f4242

Explorer
Joined
Mar 16, 2017
Messages
97
No, I never did. I have logs coming into one syslog-ng server from five different sources, but only the TrueNAS sources have this problem. I haven't monkeyed with the syslog-ng.conf logging statement to introduce a template, but I've tried on the syslog-ng server to rewrite the messages without any success.
Yeah this is what I'm tryring to do too on our central rsyslog. Didn't succeeded yet haha.
 
Top