Remote Logging with Syslog¶
The Remote Logging options under Status > System Logs on the
Settings tab enable syslog to copy log entries to a remote server.
The logs kept by pfSense® software on the firewall itself are of a finite size. Copying these entries to a syslog server can aid troubleshooting and allow for long-term monitoring. Having a remote copy can also help diagnose events that occur before a firewall restarts or after they would have otherwise been lost due to clearing of the logs or when older entries are cycled out of the log, and in cases when local storage has failed but the network remains active.
Warning
Corporate or local legislative policies may dictate the length of time an organization must retain log data from firewalls and similar devices. If an organization requires long-term log retention for their own or government purposes, a remote syslog server is required to receive and retain these logs.
Warning
Logs sent using this method are delivered in the clear (not encrypted) unless the logs are sent through a VPN or using a mechanism such as Stunnel package. As an alternative, consider using the syslog-ng package which supports encrypted syslog.
The following options are available for remote logging:
- Source Address:
Controls where the
syslogdaemon binds for sending out messages. In most cases, the default (Any) is the best option, so the firewall will use the address nearest the target. If the destination server is across a tunnel mode IPsec VPN, however, choosing an interface or Virtual IP address inside the local Phase 2 network will allow the log messages to flow properly over a tunnel.- IP Protocol:
When choosing an interface for the Source Address, this option gives the
syslogdaemon a preference for either using IPv4 or IPv6, depending on which is available. If there is no matching address for the selected type, the other type is used instead.- Remote Log Servers:
Enter up to three remote servers using the boxes contained in this section. Each remote server can use either an IP address or hostname, and an optional UDP port number. If the port is not specified, the default syslogd port,
514, is assumed.A syslog server is typically a server that is directly reachable from the firewall on a local interface. Logging can also be sent to a server across a VPN.
Warning
Do not send log data directly across any WAN connection or unencrypted site-to-site link, as it is plain text and could contain sensitive information.
Note
The syslog daemon only supports sending messages over UDP. To send syslog messages over TCP, consider using the syslog-ng package.
- Remote Syslog Contents:
The options in this section control which log messages will be sent to the remote log server.
- Everything:
When set, all log messages from all areas are sent to the server.
- System Events:
Main system log messages that do not fall into other categories.
- Firewall Events:
Firewall log messages in raw format. The format of the raw log is covered in Raw Filter Log Format.
- DNS Events:
Messages from the DNS Resolver (
unbound), DNS Forwarder (dnsmasq), and from thefilterdnsdaemon which periodically resolves hostnames in aliases.- DHCP Events:
Messages from the IPv4 and IPv6 DHCP daemons, relay agents, and clients.
- PPP Events:
Messages from PPP WAN clients (PPPoE, L2TP, PPTP)
- General Authentication Events:
Log messages about authentication events, such as for the GUI or certain types of VPNs.
- Captive Portal Events:
Messages from the Captive Portal system, typically authentication messages and errors.
- VPN Events:
Messages from VPN daemons such as IPsec and OpenVPN, as well as the L2TP server and PPPoE server.
- Gateway Monitor Events:
Messages from the gateway monitoring daemon,
dpinger- Routing Daemon Events:
Routing-related messages such as UPnP/NAT-PMP, IPv6 routing advertisements, and routing daemons from packages like OSPF, BGP, and RIP.
- Network Time Protocol Events:
Messages from the NTP daemon and client.
- Wireless Events:
Messages from the Wireless AP daemon,
hostapd.
To start logging remotely:
Navigate to Status > System Logs on the Settings tab
Check Send log messages to remote syslog server
Configure the options as described above
Click Save to store the changes.
If a syslog server is not already available, it is fairly easy to set one up. Almost any UNIX or UNIX-like system can be used as a syslog server. FreeBSD is described in the following section, but others may be similar.
Setup Syslog on the Logging Host¶
First, configure the syslog server to accept remote connections which
means running it with the -a <subnet> or similar flag.
On FreeBSD, edit /etc/rc.conf and add this line:
syslogd_flags=" -a 192.168.1.1 "
Where 192.168.1.1 is the IP address of the pfSense firewall.
More complex allow rules for syslog are also possible, like so:
syslogd_flags=" -a 10.0.10.0/24:*"
Using that parameter, syslog will accept from any IP address in the 10.0.10.0 subnet (mask 255.255.255.0) and the messages may come from any UDP port.
Now, edit /etc/syslog.conf and add a block at the bottom:
!*
+*
+pfsense
*.* /var/log/pfsense.log
Where pfSense is the hostname of the pfSense firewall. An entry may
also need to be added in /etc/hosts for that system, depending on the
DNS setup. Logs may be split separate files. Use the /etc/syslog.conf
file on the pfSense firewall for more details on which logging facilities
are used for specific items.
192.168.1.1 pfsense pfsense.example.com
The log file may also need to be created manually with proper permissions:
touch /var/log/pfsense.log
chmod 640 /var/log/pfsense.log
Now restart syslog:
/etc/rc.d/syslogd restart
Setting this up on Windows entirely depends on which syslog server is being used. Consult the documentation for more information on configuration.
There is a free multi-purpose utility that can act as a syslog server, which can be found here: http://tftpd32.jounin.net/
Kiwi Syslog Server is free for up to 5 devices. https://www.solarwinds.com/free-tools/kiwi-free-syslog-server
Configuration of the system logger on Linux depends on the distribution. Consult the distribution’s documentation on how to change the behavior of syslogd. It should be similar in many cases to the alterations in the FreeBSD section.
The configuration for OpenBSD is similar to FreeBSD, with the following notes:
The option to accept remote syslog events is
-u.This option may be enabled using rcctl(8):
rcctl set syslogd flags -u
To restart the syslogd service:
rcctl restart syslogd
Other Logging Servers¶
Other log systems or styles such as Splunk, ELSA (Enterprise Log Search and Archive), Graylog, ELK (Elasticsearch, Logstash, and Kibana), or OpenSearch (open source fork of ELK components) may also be used but the methods for implementing them are beyond the scope of this document. If such a system is syslog-compatible, then the pfSense software side should be fairly simple to setup as it would be for any other syslog system.