replace the current log options

 log updates|all

with

 log state changes
 log host checks
 log connection [errors]

The first two control the logging of host check results: either changes in host state only or
all checks.

The third option controls logging of connections in relay mode:
Either log all connections, or only errors.

Additionaly, errors will be logged with LOG_WARN and good connections
will be logged with LOG_INFO, so they can be differentiated in syslog.

ok and feedback from claudio@

8 files changed, 122 insertions, 86 deletions

diff --git a/usr.sbin/relayd/hce.c b/usr.sbin/relayd/hce.c
index e4b50292d69..8fb7701d047 100644
--- a/usr.sbin/relayd/hce.c
+++ b/usr.sbin/relayd/hce.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: hce.c,v 1.78 2017/12/18 21:45:57 benno Exp $	*/
+/*	$OpenBSD: hce.c,v 1.79 2018/08/06 17:31:31 benno Exp $	*/
 
 /*
  * Copyright (c) 2006 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -197,7 +197,7 @@ hce_notify_done(struct host *host, enum host_error he)
 	struct ctl_status	 st;
 	struct timeval		 tv_now, tv_dur;
 	u_long			 duration;
-	u_int			 logopt;
+	u_int			 logopt = RELAYD_OPT_LOGHOSTCHECK;
 	struct host		*h, *hostnst;
 	int			 hostup;
 	const char		*msg;
@@ -248,8 +248,6 @@ hce_notify_done(struct host *host, enum host_error he)
 	proc_compose(env->sc_ps, PROC_PFE, IMSG_HOST_STATUS, &st, sizeof(st));
 	if (host->up != host->last_up)
 		logopt = RELAYD_OPT_LOGUPDATE;
-	else
-		logopt = RELAYD_OPT_LOGNOTIFY;
 
 	getmonotime(&tv_now);
 	timersub(&tv_now, &host->cte.tv_start, &tv_dur);
diff --git a/usr.sbin/relayd/parse.y b/usr.sbin/relayd/parse.y
index 85b01d266b8..2af04c27bd9 100644
--- a/usr.sbin/relayd/parse.y
+++ b/usr.sbin/relayd/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.226 2018/07/11 07:39:22 krw Exp $	*/
+/*	$OpenBSD: parse.y,v 1.227 2018/08/06 17:31:31 benno Exp $	*/
 
 /*
  * Copyright (c) 2007 - 2014 Reyk Floeter <reyk@openbsd.org>
@@ -176,7 +176,7 @@ typedef struct {
 %token	SNMP SOCKET SPLICE SSL STICKYADDR STYLE TABLE TAG TAGGED TCP TIMEOUT TLS
 %token	TO ROUTER RTLABEL TRANSPARENT TRAP UPDATES URL VIRTUAL WITH TTL RTABLE
 %token	MATCH PARAMS RANDOM LEASTSTATES SRCHASH KEY CERTIFICATE PASSWORD ECDHE
-%token	EDH TICKETS
+%token	EDH TICKETS CONNECTION CONNECTIONS ERRORS STATE CHANGES CHECKS
 %token	<v.string>	STRING
 %token  <v.number>	NUMBER
 %type	<v.string>	hostname interface table value optstring
@@ -433,8 +433,23 @@ main		: INTERVAL NUMBER	{
 trap		: /* nothing */		{ $$ = 0; }
 		| TRAP			{ $$ = 1; }
 
-loglevel	: UPDATES		{ $$ = RELAYD_OPT_LOGUPDATE; }
-		| ALL			{ $$ = RELAYD_OPT_LOGALL; }
+loglevel	: UPDATES		{ /* remove 6.4-current */
+					  $$ = RELAYD_OPT_LOGUPDATE;
+					  log_warnx("log updates deprecated, "
+					      "update configuration");
+					}
+		| STATE CHANGES		{ $$ = RELAYD_OPT_LOGUPDATE; }
+		| HOST CHECKS		{ $$ = RELAYD_OPT_LOGHOSTCHECK; }
+		| ALL			{ /* remove 6.4-current */
+					  $$ = (RELAYD_OPT_LOGHOSTCHECK|
+						RELAYD_OPT_LOGCON|
+						RELAYD_OPT_LOGCONERR);
+					  log_warnx("log all deprecated, "
+					      "update configuration");
+					}
+		| CONNECTION		{ $$ = (RELAYD_OPT_LOGCON |
+						RELAYD_OPT_LOGCONERR); }
+		| CONNECTION ERRORS	{ $$ = RELAYD_OPT_LOGCONERR; }
 		;
 
 rdr		: REDIRECT STRING	{
@@ -2223,9 +2238,12 @@ lookup(char *s)
 		{ "ca",			CA },
 		{ "cache",		CACHE },
 		{ "cert",		CERTIFICATE },
+		{ "changes",		CHANGES },
 		{ "check",		CHECK },
+		{ "checks",		CHECKS },
 		{ "ciphers",		CIPHERS },
 		{ "code",		CODE },
+		{ "connection",		CONNECTION },
 		{ "cookie",		COOKIE },
 		{ "demote",		DEMOTE },
 		{ "destination",	DESTINATION },
@@ -2234,6 +2252,7 @@ lookup(char *s)
 		{ "ecdhe",		ECDHE },
 		{ "edh",		EDH },
 		{ "error",		ERROR },
+		{ "errors",		ERRORS },
 		{ "expect",		EXPECT },
 		{ "external",		EXTERNAL },
 		{ "file",		FILENAME },
@@ -2302,6 +2321,7 @@ lookup(char *s)
 		{ "source-hash",	SRCHASH },
 		{ "splice",		SPLICE },
 		{ "ssl",		SSL },
+		{ "state",		STATE },
 		{ "sticky-address",	STICKYADDR },
 		{ "style",		STYLE },
 		{ "table",		TABLE },
diff --git a/usr.sbin/relayd/relay.c b/usr.sbin/relayd/relay.c
index 9a7f60d6f86..8ebd0bd1c14 100644
--- a/usr.sbin/relayd/relay.c
+++ b/usr.sbin/relayd/relay.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: relay.c,v 1.239 2018/06/10 20:41:47 benno Exp $	*/
+/*	$OpenBSD: relay.c,v 1.240 2018/08/06 17:31:31 benno Exp $	*/
 
 /*
  * Copyright (c) 2006 - 2014 Reyk Floeter <reyk@openbsd.org>
@@ -397,7 +397,7 @@ relay_statistics(int fd, short events, void *arg)
 			    &rlay->rl_sessions, con);
 			timersub(&tv_now, &con->se_tv_last, &tv);
 			if (timercmp(&tv, &rlay->rl_conf.timeout, >=))
-				relay_close(con, "hard timeout");
+				relay_close(con, "hard timeout", 1);
 		}
 	}
 
@@ -700,7 +700,7 @@ relay_connected(int fd, short sig, void *arg)
 	case RELAY_PROTO_HTTP:
 		if (relay_httpdesc_init(out) == -1) {
 			relay_close(con,
-			    "failed to allocate http descriptor");
+			    "failed to allocate http descriptor", 1);
 			return;
 		}
 		con->se_out.toread = TOREAD_HTTP_HEADER;
@@ -742,7 +742,7 @@ relay_connected(int fd, short sig, void *arg)
 		bufferevent_enable(con->se_in.bev, EV_READ);
 
 	if (relay_splice(&con->se_out) == -1)
-		relay_close(con, strerror(errno));
+		relay_close(con, strerror(errno), 1);
 }
 
 void
@@ -757,7 +757,7 @@ relay_input(struct rsession *con)
 	case RELAY_PROTO_HTTP:
 		if (relay_httpdesc_init(&con->se_in) == -1) {
 			relay_close(con,
-			    "failed to allocate http descriptor");
+			    "failed to allocate http descriptor", 1);
 			return;
 		}
 		con->se_in.toread = TOREAD_HTTP_HEADER;
@@ -776,7 +776,7 @@ relay_input(struct rsession *con)
 	con->se_in.bev = bufferevent_new(con->se_in.s, inrd, inwr,
 	    relay_error, &con->se_in);
 	if (con->se_in.bev == NULL) {
-		relay_close(con, "failed to allocate input buffer event");
+		relay_close(con, "failed to allocate input buffer event", 1);
 		return;
 	}
 
@@ -791,7 +791,7 @@ relay_input(struct rsession *con)
 	bufferevent_enable(con->se_in.bev, EV_READ|EV_WRITE);
 
 	if (relay_splice(&con->se_in) == -1)
-		relay_close(con, strerror(errno));
+		relay_close(con, strerror(errno), 1);
 }
 
 void
@@ -811,10 +811,10 @@ relay_write(struct bufferevent *bev, void *arg)
 
 	return;
  done:
-	relay_close(con, "last write (done)");
+	relay_close(con, "last write (done)", 0);
 	return;
  fail:
-	relay_close(con, strerror(errno));
+	relay_close(con, strerror(errno), 1);
 }
 
 void
@@ -860,10 +860,10 @@ relay_read(struct bufferevent *bev, void *arg)
 
 	return;
  done:
-	relay_close(con, "last read (done)");
+	relay_close(con, "last read (done)", 0);
 	return;
  fail:
-	relay_close(con, strerror(errno));
+	relay_close(con, strerror(errno), 1);
 }
 
 /*
@@ -985,7 +985,7 @@ relay_error(struct bufferevent *bev, short error, void *arg)
 			case -1:
 				goto fail;
 			case 0:
-				relay_close(con, "buffer event timeout");
+				relay_close(con, "buffer event timeout", 1);
 				break;
 			case 1:
 				cre->timedout = 1;
@@ -993,7 +993,7 @@ relay_error(struct bufferevent *bev, short error, void *arg)
 				break;
 			}
 		} else {
-			relay_close(con, "buffer event timeout");
+			relay_close(con, "buffer event timeout", 1);
 		}
 		return;
 	}
@@ -1003,14 +1003,14 @@ relay_error(struct bufferevent *bev, short error, void *arg)
 			case -1:
 				goto fail;
 			case 0:
-				relay_close(con, "splice timeout");
+				relay_close(con, "splice timeout", 1);
 				return;
 			case 1:
 				bufferevent_enable(bev, EV_READ);
 				break;
 			}
 		} else if (cre->dst->timedout) {
-			relay_close(con, "splice timeout");
+			relay_close(con, "splice timeout", 1);
 			return;
 		}
 		if (relay_spliceadjust(cre) == -1)
@@ -1036,13 +1036,13 @@ relay_error(struct bufferevent *bev, short error, void *arg)
 		} else if (cre->toread == TOREAD_UNLIMITED || cre->toread == 0)
 			return;
 
-		relay_close(con, "done");
+		relay_close(con, "done", 0);
 		return;
 	}
-	relay_close(con, "buffer event error");
+	relay_close(con, "buffer event error", 1);
 	return;
  fail:
-	relay_close(con, strerror(errno));
+	relay_close(con, strerror(errno), 1);
 }
 
 void
@@ -1138,7 +1138,7 @@ relay_accept(int fd, short event, void *arg)
 	/* Pre-allocate output buffer */
 	con->se_out.output = evbuffer_new();
 	if (con->se_out.output == NULL) {
-		relay_close(con, "failed to allocate output buffer");
+		relay_close(con, "failed to allocate output buffer", 1);
 		return;
 	}
 
@@ -1146,7 +1146,7 @@ relay_accept(int fd, short event, void *arg)
 		slen = sizeof(con->se_out.ss);
 		if (getsockname(s, (struct sockaddr *)&con->se_out.ss,
 		    &slen) == -1) {
-			relay_close(con, "peer lookup failed");
+			relay_close(con, "peer lookup failed", 1);
 			return;
 		}
 		con->se_out.port = relay_socket_getport(&con->se_out.ss);
@@ -1158,7 +1158,7 @@ relay_accept(int fd, short event, void *arg)
 			con->se_out.ss.ss_family = AF_UNSPEC;
 	} else if (rlay->rl_conf.flags & F_NATLOOK) {
 		if ((cnl = calloc(1, sizeof(*cnl))) == NULL) {
-			relay_close(con, "failed to allocate nat lookup");
+			relay_close(con, "failed to allocate nat lookup", 1);
 			return;
 		}
 
@@ -1173,7 +1173,7 @@ relay_accept(int fd, short event, void *arg)
 		slen = sizeof(cnl->dst);
 		if (getsockname(s,
 		    (struct sockaddr *)&cnl->dst, &slen) == -1) {
-			relay_close(con, "failed to get local address");
+			relay_close(con, "failed to get local address", 1);
 			return;
 		}
 
@@ -1368,7 +1368,7 @@ relay_natlook(int fd, short event, void *arg)
 	if (con->se_out.ss.ss_family == AF_UNSPEC && cnl->in == -1 &&
 	    rlay->rl_conf.dstss.ss_family == AF_UNSPEC &&
 	    TAILQ_EMPTY(&rlay->rl_tables)) {
-		relay_close(con, "session NAT lookup failed");
+		relay_close(con, "session NAT lookup failed", 1);
 		return;
 	}
 	if (cnl->in != -1) {
@@ -1390,7 +1390,7 @@ relay_session(struct rsession *con)
 	if (bcmp(&rlay->rl_conf.ss, &out->ss, sizeof(out->ss)) == 0 &&
 	    out->port == rlay->rl_conf.port) {
 		log_debug("%s: session %d: looping", __func__, con->se_id);
-		relay_close(con, "session aborted");
+		relay_close(con, "session aborted", 1);
 		return;
 	}
 
@@ -1401,7 +1401,7 @@ relay_session(struct rsession *con)
 		if (rlay->rl_proto->request == NULL)
 			fatalx("invalide UDP session");
 		if ((*rlay->rl_proto->request)(con) == -1)
-			relay_close(con, "session failed");
+			relay_close(con, "session failed", 1);
 		return;
 	}
 
@@ -1414,7 +1414,7 @@ relay_session(struct rsession *con)
 		if (rlay->rl_conf.fwdmode == FWD_TRANS)
 			relay_bindanyreq(con, 0, IPPROTO_TCP);
 		else if (relay_connect(con) == -1) {
-			relay_close(con, "session failed");
+			relay_close(con, "session failed", 1);
 			return;
 		}
 	}
@@ -1451,11 +1451,11 @@ relay_bindany(int fd, short event, void *arg)
 	struct rsession	*con = arg;
 
 	if (con->se_bnds == -1) {
-		relay_close(con, "bindany failed, invalid socket");
+		relay_close(con, "bindany failed, invalid socket", 1);
 		return;
 	}
 	if (relay_connect(con) == -1)
-		relay_close(con, "session failed");
+		relay_close(con, "session failed", 1);
 }
 
 void
@@ -1670,7 +1670,7 @@ relay_connect(struct rsession *con)
 }
 
 void
-relay_close(struct rsession *con, const char *msg)
+relay_close(struct rsession *con, const char *msg, int err)
 {
 	char		 ibuf[128], obuf[128], *ptr = NULL;
 	struct relay	*rlay = con->se_relay;
@@ -1685,7 +1685,8 @@ relay_close(struct rsession *con, const char *msg)
 	if (con->se_out.bev != NULL)
 		bufferevent_disable(con->se_out.bev, EV_READ|EV_WRITE);
 
-	if ((env->sc_conf.opts & RELAYD_OPT_LOGUPDATE) && msg != NULL) {
+	if ((env->sc_conf.opts & (RELAYD_OPT_LOGCON|RELAYD_OPT_LOGCONERR)) &&
+	    msg != NULL) {
 		bzero(&ibuf, sizeof(ibuf));
 		bzero(&obuf, sizeof(obuf));
 		(void)print_host(&con->se_in.ss, ibuf, sizeof(ibuf));
@@ -1695,12 +1696,22 @@ relay_close(struct rsession *con, const char *msg)
 			ptr = evbuffer_readln(con->se_log, NULL,
 			    EVBUFFER_EOL_CRLF);
 		}
-		log_info("relay %s, "
-		    "session %d (%d active), %s, %s -> %s:%d, "
-		    "%s%s%s", rlay->rl_conf.name, con->se_id, relay_sessions,
-		    con->se_tag != 0 ? tag_id2name(con->se_tag) : "0", ibuf,
-		    obuf, ntohs(con->se_out.port), msg, ptr == NULL ? "" : ",",
-		    ptr == NULL ? "" : ptr);
+		if (err == 0 && (env->sc_conf.opts & RELAYD_OPT_LOGCON))
+			log_info("relay %s, "
+			    "session %d (%d active), %s, %s -> %s:%d, "
+			    "%s%s%s", rlay->rl_conf.name, con->se_id,
+			    relay_sessions, con->se_tag != 0 ?
+			    tag_id2name(con->se_tag) : "0", ibuf, obuf,
+			    ntohs(con->se_out.port), msg, ptr == NULL ?
+			    "" : ",", ptr == NULL ? "" : ptr);
+		if (err == 1 && (env->sc_conf.opts & RELAYD_OPT_LOGCONERR))
+			log_warn("relay %s, "
+			    "session %d (%d active), %s, %s -> %s:%d, "
+			    "%s%s%s", rlay->rl_conf.name, con->se_id,
+			    relay_sessions, con->se_tag != 0 ?
+			    tag_id2name(con->se_tag) : "0", ibuf, obuf,
+			    ntohs(con->se_out.port), msg, ptr == NULL ?
+			    "" : ",", ptr == NULL ? "" : ptr);
 		free(ptr);
 	}
 
@@ -2293,7 +2304,7 @@ relay_tls_transaction(struct rsession *con, struct ctl_relay_event *cre)
 	return;
 
  err:
-	relay_close(con, errstr);
+	relay_close(con, errstr, 1);
 }
 
 void
@@ -2307,7 +2318,7 @@ relay_tls_handshake(int fd, short event, void *arg)
 	char			*msg;
 
 	if (event == EV_TIMEOUT) {
-		relay_close(con, "TLS handshake timeout");
+		relay_close(con, "TLS handshake timeout", 1);
 		return;
 	}
 
@@ -2344,7 +2355,7 @@ relay_tls_handshake(int fd, short event, void *arg)
 				con->se_in.tlscert = NULL;
 			if (con->se_in.tlscert == NULL)
 				relay_close(con,
-				    "could not create certificate");
+				    "could not create certificate", 1);
 			else
 				relay_session(con);
 			return;
@@ -2358,10 +2369,10 @@ relay_tls_handshake(int fd, short event, void *arg)
 	} else {
 		if (asprintf(&msg, "TLS handshake error: %s",
 		    tls_error(cre->tls)) >= 0) {
-			relay_close(con, msg);
+			relay_close(con, msg, 1);
 			free(msg);
 		} else {
-			relay_close(con, "TLS handshake error");
+			relay_close(con, "TLS handshake error", 1);
 		}
 		return;
 	}
diff --git a/usr.sbin/relayd/relay_http.c b/usr.sbin/relayd/relay_http.c
index cf493f8c887..a9d27bfe605 100644
--- a/usr.sbin/relayd/relay_http.c
+++ b/usr.sbin/relayd/relay_http.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: relay_http.c,v 1.70 2017/11/27 16:25:50 benno Exp $	*/
+/*	$OpenBSD: relay_http.c,v 1.71 2018/08/06 17:31:31 benno Exp $	*/
 
 /*
  * Copyright (c) 2006 - 2016 Reyk Floeter <reyk@openbsd.org>
@@ -406,7 +406,7 @@ relay_read_http(struct bufferevent *bev, void *arg)
 		action = relay_test(proto, cre);
 		switch (action) {
 		case RES_FAIL:
-			relay_close(con, "filter rule failed");
+			relay_close(con, "filter rule failed", 1);
 			return;
 		case RES_BAD:
 			relay_abort_http(con, 400, "Bad Request",
@@ -512,12 +512,12 @@ relay_read_http(struct bufferevent *bev, void *arg)
 		}
 	}
 	if (con->se_done) {
-		relay_close(con, "last http read (done)");
+		relay_close(con, "last http read (done)", 0);
 		return;
 	}
 	switch (relay_splice(cre)) {
 	case -1:
-		relay_close(con, strerror(errno));
+		relay_close(con, strerror(errno), 1);
 	case 1:
 		return;
 	case 0:
@@ -589,10 +589,10 @@ relay_read_httpcontent(struct bufferevent *bev, void *arg)
 	/* The callback readcb() might have freed the session. */
 	return;
  done:
-	relay_close(con, "last http content read");
+	relay_close(con, "last http content read", 0);
 	return;
  fail:
-	relay_close(con, strerror(errno));
+	relay_close(con, strerror(errno), 1);
 }
 
 void
@@ -652,7 +652,7 @@ relay_read_httpchunks(struct bufferevent *bev, void *arg)
 		 */
 		if (sscanf(line, "%llx", &llval) != 1 || llval < 0) {
 			free(line);
-			relay_close(con, "invalid chunk size");
+			relay_close(con, "invalid chunk size", 1);
 			return;
 		}
 
@@ -713,10 +713,10 @@ relay_read_httpchunks(struct bufferevent *bev, void *arg)
 	return;
 
  done:
-	relay_close(con, "last http chunk read (done)");
+	relay_close(con, "last http chunk read (done)", 0);
 	return;
  fail:
-	relay_close(con, strerror(errno));
+	relay_close(con, strerror(errno), 1);
 }
 
 void
@@ -991,7 +991,7 @@ relay_abort_http(struct rsession *con, u_int code, const char *msg,
 	/* In some cases this function may be called from generic places */
 	if (rlay->rl_proto->type != RELAY_PROTO_HTTP ||
 	    (rlay->rl_proto->flags & F_RETURN) == 0) {
-		relay_close(con, msg);
+		relay_close(con, msg, 0);
 		return;
 	}
 
@@ -1060,9 +1060,9 @@ relay_abort_http(struct rsession *con, u_int code, const char *msg,
  done:
 	free(body);
 	if (asprintf(&httpmsg, "%s (%03d %s)", msg, code, httperr) == -1)
-		relay_close(con, msg);
+		relay_close(con, msg, 1);
 	else {
-		relay_close(con, httpmsg);
+		relay_close(con, httpmsg, 1);
 		free(httpmsg);
 	}
 }
diff --git a/usr.sbin/relayd/relay_udp.c b/usr.sbin/relayd/relay_udp.c
index fe5a1d587ed..74d55feb794 100644
--- a/usr.sbin/relayd/relay_udp.c
+++ b/usr.sbin/relayd/relay_udp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: relay_udp.c,v 1.48 2018/04/18 12:10:54 claudio Exp $	*/
+/*	$OpenBSD: relay_udp.c,v 1.49 2018/08/06 17:31:31 benno Exp $	*/
 
 /*
  * Copyright (c) 2007 - 2013 Reyk Floeter <reyk@openbsd.org>
@@ -204,7 +204,7 @@ relay_udp_response(int fd, short sig, void *arg)
 	    (priv = (*proto->validate)(con, rlay, &ss, buf, len)) == NULL)
 		return;
 
-	relay_close(con, "unknown response");
+	relay_close(con, "unknown response", 1);
 	free(priv);
 }
 
@@ -281,7 +281,7 @@ relay_udp_server(int fd, short sig, void *arg)
 	/* Pre-allocate output buffer */
 	con->se_out.output = evbuffer_new();
 	if (con->se_out.output == NULL) {
-		relay_close(con, "failed to allocate output buffer");
+		relay_close(con, "failed to allocate output buffer", 1);
 		return;
 	}
 
@@ -289,20 +289,20 @@ relay_udp_server(int fd, short sig, void *arg)
 	con->se_haslog = 0;
 	con->se_log = evbuffer_new();
 	if (con->se_log == NULL) {
-		relay_close(con, "failed to allocate log buffer");
+		relay_close(con, "failed to allocate log buffer", 1);
 		return;
 	}
 
 	if (rlay->rl_conf.flags & F_NATLOOK) {
 		if ((cnl = calloc(1, sizeof(*cnl))) == NULL) {
-			relay_close(con, "failed to allocate natlookup");
+			relay_close(con, "failed to allocate natlookup", 1);
 			return;
 		}
 	}
 
 	/* Save the received data */
 	if (evbuffer_add(con->se_out.output, buf, len) == -1) {
-		relay_close(con, "failed to store buffer");
+		relay_close(con, "failed to store buffer", 1);
 		free(cnl);
 		return;
 	}
@@ -337,7 +337,7 @@ relay_udp_timeout(int fd, short sig, void *arg)
 	if (sig != EV_TIMEOUT)
 		fatalx("invalid timeout event");
 
-	relay_close(con, "udp timeout");
+	relay_close(con, "udp timeout", 1);
 }
 
 /*
@@ -440,7 +440,7 @@ relay_dns_validate(struct rsession *con, struct relay *rlay,
 	} else {
 		priv = con->se_priv;
 		if (priv == NULL || key != priv->dp_inkey) {
-			relay_close(con, "invalid response");
+			relay_close(con, "invalid response", 1);
 			return (NULL);
 		}
 		relay_dns_result(con, buf, len);
@@ -531,11 +531,11 @@ relay_dns_result(struct rsession *con, u_int8_t *buf, size_t len)
 	slen = con->se_out.ss.ss_len;
 	if (sendto(rlay->rl_s, buf, len, 0,
 	    (struct sockaddr *)&con->se_in.ss, slen) == -1) {
-		relay_close(con, "response failed");
+		relay_close(con, "response failed", 1);
 		return;
 	}
 
-	relay_close(con, "session closed");
+	relay_close(con, "session closed", 0);
 }
 
 int
diff --git a/usr.sbin/relayd/relayd.c b/usr.sbin/relayd/relayd.c
index 0ce53b41d5d..c2e675adf67 100644
--- a/usr.sbin/relayd/relayd.c
+++ b/usr.sbin/relayd/relayd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: relayd.c,v 1.171 2017/11/29 15:24:50 benno Exp $	*/
+/*	$OpenBSD: relayd.c,v 1.172 2018/08/06 17:31:31 benno Exp $	*/
 
 /*
  * Copyright (c) 2007 - 2016 Reyk Floeter <reyk@openbsd.org>
@@ -558,7 +558,7 @@ purge_relay(struct relayd *env, struct relay *rlay)
 	/* cleanup sessions */
 	while ((con =
 	    SPLAY_ROOT(&rlay->rl_sessions)) != NULL)
-		relay_close(con, NULL);
+		relay_close(con, NULL, 0);
 
 	/* cleanup relay */
 	if (rlay->rl_bev != NULL)
diff --git a/usr.sbin/relayd/relayd.conf.5 b/usr.sbin/relayd/relayd.conf.5
index 125bd685bb2..dd40a50946b 100644
--- a/usr.sbin/relayd/relayd.conf.5
+++ b/usr.sbin/relayd/relayd.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: relayd.conf.5,v 1.185 2018/06/18 06:04:25 jmc Exp $
+.\"	$OpenBSD: relayd.conf.5,v 1.186 2018/08/06 17:31:31 benno Exp $
 .\"
 .\" Copyright (c) 2006 - 2016 Reyk Floeter <reyk@openbsd.org>
 .\" Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 18 2018 $
+.Dd $Mdocdate: August 6 2018 $
 .Dt RELAYD.CONF 5
 .Os
 .Sh NAME
@@ -123,14 +123,14 @@ Set the interval in seconds at which the hosts will be checked.
 The default interval is 10 seconds.
 .It Xo
 .Ic log
-.Pq Ic updates Ns | Ns Ic all
+.Pq Ic state changes Ns | Ns Ic host checks
 .Xc
-Log state notifications after completed host checks.
-Either only log the
-.Ic updates
-to new states or log
-.Ic all
-state notifications, even if the state didn't change.
+Log host checks:
+Either log only the
+.Ic state changes
+of hosts or log all
+.Ic host checks
+that were run, even if the state didn't change.
 The host state can be
 .Dq up
 (the health check completed successfully),
@@ -139,6 +139,12 @@ The host state can be
 or
 .Dq unknown
 (the host is disabled or has not been checked yet).
+.It Xo
+.Ic log connection Op Ic errors
+.Xc
+When using relays, log all TCP connections.
+Optionally log only
+.Ic connection errors.
 .It Ic prefork Ar number
 When using relays, run the specified number of processes to handle
 relayed connections.
diff --git a/usr.sbin/relayd/relayd.h b/usr.sbin/relayd/relayd.h
index bcf47a6f709..ac43aa50608 100644
--- a/usr.sbin/relayd/relayd.h
+++ b/usr.sbin/relayd/relayd.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: relayd.h,v 1.249 2018/04/18 12:10:54 claudio Exp $	*/
+/*	$OpenBSD: relayd.h,v 1.250 2018/08/06 17:31:31 benno Exp $	*/
 
 /*
  * Copyright (c) 2006 - 2016 Reyk Floeter <reyk@openbsd.org>
@@ -1107,8 +1107,9 @@ struct relayd {
 #define RELAYD_OPT_VERBOSE		0x01
 #define RELAYD_OPT_NOACTION		0x04
 #define RELAYD_OPT_LOGUPDATE		0x08
-#define RELAYD_OPT_LOGNOTIFY		0x10
-#define RELAYD_OPT_LOGALL		0x18
+#define RELAYD_OPT_LOGHOSTCHECK		0x10
+#define RELAYD_OPT_LOGCON		0x20
+#define RELAYD_OPT_LOGCONERR		0x40
 
 /* control.c */
 int	 control_init(struct privsep *, struct control_sock *);
@@ -1173,7 +1174,7 @@ void	 relay_notify_done(struct host *, const char *);
 int	 relay_session_cmp(struct rsession *, struct rsession *);
 char	*relay_load_fd(int, off_t *);
 int	 relay_load_certfiles(struct relay *);
-void	 relay_close(struct rsession *, const char *);
+void	 relay_close(struct rsession *, const char *, int);
 int	 relay_reset_event(struct ctl_relay_event *);
 void	 relay_natlook(int, short, void *);
 void	 relay_session(struct rsession *);