To retain logs for any significant period of time, remote syslog must be
enabled and a syslog server must be configured to accept log messages
from pfSense® software.
There are several different syslog server software packages. Most
BSD/Linux systems will have one built in, and there are some free
utilities available for Windows to accept syslog messages from remote
Configuration of the system logger on Linux depends on the distribution.
Consult the distribution’s documentation on how to change the behavior of
syslogd. It should be similar in many cases to the alterations in the
On FreeBSD, edit /etc/rc.conf and add this line:
syslogd_flags=" -a 192.168.1.1 "
Where 192.168.1.1 is the IP address of the pfSense firewall.
More complex allow rules for syslog are also possible, like so:
syslogd_flags=" -a 10.0.10.0/24:*"
Using that parameter, syslog will accept from any IP address in the
10.0.10.0 subnet (mask 255.255.255.0) and the messages may come from any
Now, edit /etc/syslog.conf and add a block at the bottom:
Where pfSense is the hostname of the pfSense firewall. An entry may
also need to be added in /etc/hosts for that system, depending on the
DNS setup. Logs may be split separate files. Use the /etc/syslog.conf
file on the pfSense firewall for more details on which logging facilities
are used for specific items.
The log file may also need to be created manually with proper
Other log systems such as Splunk, ELSA, or ELK may also be used but the
methods for implementing them are beyond the scope of this document. If
such a system is syslog-compatible, then the pfSense software side should
be fairly simple to setup as it would be for any other syslog system.