Default _updown script is logging IP address to syslog
We found logs with sensitive client information(IP address) in our servers' syslog after we have explicitly setting all logging levels to -1.
HOSTNAME vpn: - CLIENT_ID VIRTUAL_IP/32 CLIENT_IP -- SERVER_IP 0.0.0.0/0
It turns out to be the default _updown script is sending this log line to syslog.
131 # uncomment to log VPN connections 132 VPN_LOGGING=1 133 #
Line 132 should be commented out by default, as also stated by the comment.
#1 Updated by Martin Willi almost 6 years ago
- Status changed from New to Feedback
Yes, this is the default behavior when the updown script is used, and it has been ever since (at least with charon).
I'd like to avoid changing that default behavior, as some installations might rely on it. We certainly can improve the documentation, which I've tried to address with the new updown Wiki page.