[2/2] ipsec: Silence charon

Message ID 20200205112425.20108-2-michael.tremer@ipfire.org
State New
Headers show
Series [1/2] ipsec: Add script to ensure VPNs are always on | expand

Commit Message

Michael Tremer Feb. 5, 2020, 11:24 a.m. UTC
Charon has some verbose logging enabled by default. This clutters
the logs a lot.

This patch disables debug logging but still lets charon log important
messages like tunnels that are going up or down.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 html/cgi-bin/vpnmain.cgi | 3 +++
 1 file changed, 3 insertions(+)

Comments

Tom Rymes Feb. 5, 2020, 3:25 p.m. UTC | #1
May I suggest that we also move the IPSec logging into its own file? It 
seems to me that, even with verbosity reduced, having it in 
/var/log/messages makes it a pain to locate anything else in the kernel log.

Tom

On 02/05/2020 6:24 AM, Michael Tremer wrote:
> Charon has some verbose logging enabled by default. This clutters
> the logs a lot.
> 
> This patch disables debug logging but still lets charon log important
> messages like tunnels that are going up or down.
> 
> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
> ---
>   html/cgi-bin/vpnmain.cgi | 3 +++
>   1 file changed, 3 insertions(+)
> 
> diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
> index b3cd3e51e..d2bc70a27 100644
> --- a/html/cgi-bin/vpnmain.cgi
> +++ b/html/cgi-bin/vpnmain.cgi
> @@ -266,6 +266,9 @@ sub writeipsecfiles {
>   	flock CONF, 2;
>   	flock SECRETS, 2;
>   	print CONF "version 2\n\n";
> +	print CONF "config setup\n";
> +	print CONF "\tcharondebug=\"dmn 0, mgr 0, ike 0, chd 0, job 0, cfg 0, knl 0, net 0, asn 0, enc 0, lib 0, esp 0, tls 0, tnc 0, imc 0, imv 0, pts 0\"\n";
> +	print CONF "\n";
>   	print CONF "conn %default\n";
>   	print CONF "\tkeyingtries=%forever\n";
>   	print CONF "\n";
>
Michael Tremer Feb. 5, 2020, 4:55 p.m. UTC | #2
Hi,

Are those logged messages really useful?

I know that there is a ticket open with this matter, but I am not sure if there is any value in the proposed changes.

  https://bugzilla.ipfire.org/show_bug.cgi?id=11001

What are you getting from the logs that you won’t get right now?

I have to enable proper debugging every time I want to have a REALLY detailed look. Otherwise the amount of logs are very verbose and it is hard to find things.

Best,
-Michael

> On 5 Feb 2020, at 15:25, Tom Rymes <trymes@rymes.com> wrote:
> 
> May I suggest that we also move the IPSec logging into its own file? It seems to me that, even with verbosity reduced, having it in /var/log/messages makes it a pain to locate anything else in the kernel log.
> 
> Tom
> 
> On 02/05/2020 6:24 AM, Michael Tremer wrote:
>> Charon has some verbose logging enabled by default. This clutters
>> the logs a lot.
>> This patch disables debug logging but still lets charon log important
>> messages like tunnels that are going up or down.
>> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
>> ---
>>  html/cgi-bin/vpnmain.cgi | 3 +++
>>  1 file changed, 3 insertions(+)
>> diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
>> index b3cd3e51e..d2bc70a27 100644
>> --- a/html/cgi-bin/vpnmain.cgi
>> +++ b/html/cgi-bin/vpnmain.cgi
>> @@ -266,6 +266,9 @@ sub writeipsecfiles {
>>  	flock CONF, 2;
>>  	flock SECRETS, 2;
>>  	print CONF "version 2\n\n";
>> +	print CONF "config setup\n";
>> +	print CONF "\tcharondebug=\"dmn 0, mgr 0, ike 0, chd 0, job 0, cfg 0, knl 0, net 0, asn 0, enc 0, lib 0, esp 0, tls 0, tnc 0, imc 0, imv 0, pts 0\"\n";
>> +	print CONF "\n";
>>  	print CONF "conn %default\n";
>>  	print CONF "\tkeyingtries=%forever\n";
>>  	print CONF "\n";
Tom Rymes Feb. 5, 2020, 5:16 p.m. UTC | #3
I have no issue with reducing the amount of verbosity of the current 
IPSec logging. It has been helpful in the past when troubleshooting a 
new tunnel, but it's not a major deal.

I was just hoping that whatever remaining messages are left after 
reducing the verbosity could be directed to /var/log/ipsec instead of 
/var/log/messages, as the IPSec messages can clutter up the kernel log, 
which can be annoying. We have 20+ tunnels on two different machines, so 
it can be quite extensive.

Tom

On 02/05/2020 11:55 AM, Michael Tremer wrote:
> Hi,
> 
> Are those logged messages really useful?
> 
> I know that there is a ticket open with this matter, but I am not sure if there is any value in the proposed changes.
> 
>    https://bugzilla.ipfire.org/show_bug.cgi?id=11001
> 
> What are you getting from the logs that you won’t get right now?
> 
> I have to enable proper debugging every time I want to have a REALLY detailed look. Otherwise the amount of logs are very verbose and it is hard to find things.
> 
> Best,
> -Michael
> 
>> On 5 Feb 2020, at 15:25, Tom Rymes <trymes@rymes.com> wrote:
>>
>> May I suggest that we also move the IPSec logging into its own file? It seems to me that, even with verbosity reduced, having it in /var/log/messages makes it a pain to locate anything else in the kernel log.
>>
>> Tom
>>
>> On 02/05/2020 6:24 AM, Michael Tremer wrote:
>>> Charon has some verbose logging enabled by default. This clutters
>>> the logs a lot.
>>> This patch disables debug logging but still lets charon log important
>>> messages like tunnels that are going up or down.
>>> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
>>> ---
>>>   html/cgi-bin/vpnmain.cgi | 3 +++
>>>   1 file changed, 3 insertions(+)
>>> diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
>>> index b3cd3e51e..d2bc70a27 100644
>>> --- a/html/cgi-bin/vpnmain.cgi
>>> +++ b/html/cgi-bin/vpnmain.cgi
>>> @@ -266,6 +266,9 @@ sub writeipsecfiles {
>>>   	flock CONF, 2;
>>>   	flock SECRETS, 2;
>>>   	print CONF "version 2\n\n";
>>> +	print CONF "config setup\n";
>>> +	print CONF "\tcharondebug=\"dmn 0, mgr 0, ike 0, chd 0, job 0, cfg 0, knl 0, net 0, asn 0, enc 0, lib 0, esp 0, tls 0, tnc 0, imc 0, imv 0, pts 0\"\n";
>>> +	print CONF "\n";
>>>   	print CONF "conn %default\n";
>>>   	print CONF "\tkeyingtries=%forever\n";
>>>   	print CONF "\n";
>

Patch

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index b3cd3e51e..d2bc70a27 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -266,6 +266,9 @@  sub writeipsecfiles {
 	flock CONF, 2;
 	flock SECRETS, 2;
 	print CONF "version 2\n\n";
+	print CONF "config setup\n";
+	print CONF "\tcharondebug=\"dmn 0, mgr 0, ike 0, chd 0, job 0, cfg 0, knl 0, net 0, asn 0, enc 0, lib 0, esp 0, tls 0, tnc 0, imc 0, imv 0, pts 0\"\n";
+	print CONF "\n";
 	print CONF "conn %default\n";
 	print CONF "\tkeyingtries=%forever\n";
 	print CONF "\n";