Remote Logging with Syslog

The Remote Logging options under Status > System Logs on the Settings tab enable syslog to copy log entries to a remote server.

The logs kept by pfSense® software on the firewall itself are of a finite size. Copying these entries to a syslog server can aid troubleshooting and allow for long-term monitoring. Having a remote copy can also help diagnose events that occur before a firewall restarts or after they would have otherwise been lost due to clearing of the logs or when older entries are cycled out of the log, and in cases when local storage has failed but the network remains active.

Warning

Corporate or local legislative policies may dictate the length of time an organization must retain log data from firewalls and similar devices. If an organization requires long-term log retention for their own or government purposes, a remote syslog server is required to receive and retain these logs.

Warning

Logs sent using this method are delivered in the clear (not encrypted) unless the logs are sent through a VPN or using a mechanism such as Stunnel package. As an alternative, consider using the syslog-ng package which supports encrypted syslog.

The following options are available for remote logging:

Source Address

Controls where the syslog daemon binds for sending out messages. In most cases, the default (Any) is the best option, so the firewall will use the address nearest the target. If the destination server is across a tunnel mode IPsec VPN, however, choosing an interface or Virtual IP address inside the local Phase 2 network will allow the log messages to flow properly over a tunnel.

IP Protocol

When choosing an interface for the Source Address, this option gives the syslog daemon a preference for either using IPv4 or IPv6, depending on which is available. If there is no matching address for the selected type, the other type is used instead.

Remote Log Servers

Enter up to three remote servers using the boxes contained in this section. Each remote server can use either an IP address or hostname, and an optional UDP port number. If the port is not specified, the default syslogd port, 514, is assumed.

A syslog server is typically a server that is directly reachable from the firewall on a local interface. Logging can also be sent to a server across a VPN.

Warning

Do not send log data directly across any WAN connection or unencrypted site-to-site link, as it is plain text and could contain sensitive information.

Note

The syslog daemon only supports sending messages over UDP. To send syslog messages over TCP, consider using the syslog-ng package.

Remote Syslog Contents

The options in this section control which log messages will be sent to the remote log server.

Everything

When set, all log messages from all areas are sent to the server.

System Events

Main system log messages that do not fall into other categories.

Firewall Events

Firewall log messages in raw format. The format of the raw log is covered in Raw Filter Log Format.

DNS Events

Messages from the DNS Resolver (unbound), DNS Forwarder (dnsmasq), and from the filterdns daemon which periodically resolves hostnames in aliases.

DHCP Events

Messages from the IPv4 and IPv6 DHCP daemons, relay agents, and clients.

PPP Events

Messages from PPP WAN clients (PPPoE, L2TP, PPTP)

General Authentication Events

Log messages about authentication events, such as for the GUI or certain types of VPNs.

Captive Portal Events

Messages from the Captive Portal system, typically authentication messages and errors.

VPN Events

Messages from VPN daemons such as IPsec and OpenVPN, as well as the L2TP server and PPPoE server.

Gateway Monitor Events

Messages from the gateway monitoring daemon, dpinger

Routing Daemon Events

Routing-related messages such as UPnP/NAT-PMP, IPv6 routing advertisements, and routing daemons from packages like OSPF, BGP, and RIP.

Network Time Protocol Events

Messages from the NTP daemon and client.

Wireless Events

Messages from the Wireless AP daemon, hostapd.

To start logging remotely:

  • Navigate to Status > System Logs on the Settings tab

  • Check Send log messages to remote syslog server

  • Configure the options as described above

  • Click Save to store the changes.

If a syslog server is not already available, it is fairly easy to set one up. Almost any UNIX or UNIX-like system can be used as a syslog server. FreeBSD is described in the following section, but others may be similar.

Setup Syslog on the Logging Host

First, configure the syslog server to accept remote connections which means running it with the -a <subnet> or similar flag.

On FreeBSD, edit /etc/rc.conf and add this line:

syslogd_flags=" -a 192.168.1.1 "

Where 192.168.1.1 is the IP address of the pfSense firewall.

More complex allow rules for syslog are also possible, like so:

syslogd_flags=" -a 10.0.10.0/24:*"

Using that parameter, syslog will accept from any IP address in the 10.0.10.0 subnet (mask 255.255.255.0) and the messages may come from any UDP port.

Now, edit /etc/syslog.conf and add a block at the bottom:

!*
+*

+pfsense
*.*                /var/log/pfsense.log

Where pfSense is the hostname of the pfSense firewall. An entry may also need to be added in /etc/hosts for that system, depending on the DNS setup. Logs may be split separate files. Use the /etc/syslog.conf file on the pfSense firewall for more details on which logging facilities are used for specific items.

192.168.1.1            pfsense     pfsense.example.com

The log file may also need to be created manually with proper permissions:

touch /var/log/pfsense.log
chmod 640 /var/log/pfsense.log

Now restart syslog:

/etc/rc.d/syslogd restart

Setting this up on Windows entirely depends on which syslog server is being used. Consult the documentation for more information on configuration.

There is a free multi-purpose utility that can act as a syslog server, which can be found here: http://tftpd32.jounin.net/

Kiwi Syslog Server is free for up to 5 devices. https://www.solarwinds.com/free-tools/kiwi-free-syslog-server

Configuration of the system logger on Linux depends on the distribution. Consult the distribution’s documentation on how to change the behavior of syslogd. It should be similar in many cases to the alterations in the FreeBSD section.

The configuration for OpenBSD is similar to FreeBSD, with the following notes:

  1. The option to accept remote syslog events is -u.

  2. This option may be enabled using rcctl(8):

rcctl set syslogd flags -u
  1. To restart the syslogd service:

rcctl restart syslogd

Other Logging Servers

Other log systems or styles such as Splunk, ELSA (Enterprise Log Search and Archive), Graylog, ELK (Elasticsearch, Logstash, and Kibana), or OpenSearch (open source fork of ELK components) may also be used but the methods for implementing them are beyond the scope of this document. If such a system is syslog-compatible, then the pfSense software side should be fairly simple to setup as it would be for any other syslog system.