Remote Logging with Syslog

The Remote Logging options under Status > System Logs on the Settings tab enable syslog to copy log entries to a remote server.

The logs kept by pfSense® software on the firewall itself are of a finite size. Copying these entries to a syslog server can aid troubleshooting and allow for long-term monitoring. Having a remote copy can also help diagnose events that occur before a firewall restarts or after they would have otherwise been lost due to clearing of the logs or when older entries are cycled out of the log, and in cases when local storage has failed but the network remains active.


Corporate or local legislative policies may dictate the length of time an organization must retain log data from firewalls and similar devices. If an organization requires long-term log retention for their own or government purposes, a remote syslog server is required to receive and retain these logs.


Logs sent using this method are delivered in the clear (not encrypted) unless the logs are sent through a VPN or using a mechanism such as Stunnel package. As an alternative, consider using the syslog-ng package which supports encrypted syslog.

The following options are available for remote logging:

Source Address:

Controls where the syslog daemon binds for sending out messages. In most cases, the default (Any) is the best option, so the firewall will use the address nearest the target. If the destination server is across a tunnel mode IPsec VPN, however, choosing an interface or Virtual IP address inside the local Phase 2 network will allow the log messages to flow properly over a tunnel.

IP Protocol:

When choosing an interface for the Source Address, this option gives the syslog daemon a preference for either using IPv4 or IPv6, depending on which is available. If there is no matching address for the selected type, the other type is used instead.

Remote Log Servers:

Enter up to three remote servers using the boxes contained in this section. Each remote server can use either an IP address or hostname, and an optional UDP port number. If the port is not specified, the default syslogd port, 514, is assumed.

A syslog server is typically a server that is directly reachable from the firewall on a local interface. Logging can also be sent to a server across a VPN.


Do not send log data directly across any WAN connection or unencrypted site-to-site link, as it is plain text and could contain sensitive information.


The syslog daemon only supports sending messages over UDP. To send syslog messages over TCP, consider using the syslog-ng package.

Remote Syslog Contents:

The options in this section control which log messages will be sent to the remote log server.


When set, all log messages from all areas are sent to the server.

System Events:

Main system log messages that do not fall into other categories.

Firewall Events:

Firewall log messages in raw format. The format of the raw log is covered in Raw Filter Log Format.

DNS Events:

Messages from the DNS Resolver (unbound), DNS Forwarder (dnsmasq), and from the filterdns daemon which periodically resolves hostnames in aliases.

DHCP Events:

Messages from the IPv4 and IPv6 DHCP daemons, relay agents, and clients.

PPP Events:

Messages from PPP WAN clients (PPPoE, L2TP, PPTP)

General Authentication Events:

Log messages about authentication events, such as for the GUI or certain types of VPNs.

Captive Portal Events:

Messages from the Captive Portal system, typically authentication messages and errors.

VPN Events:

Messages from VPN daemons such as IPsec and OpenVPN, as well as the L2TP server and PPPoE server.

Gateway Monitor Events:

Messages from the gateway monitoring daemon, dpinger

Routing Daemon Events:

Routing-related messages such as UPnP/NAT-PMP, IPv6 routing advertisements, and routing daemons from packages like OSPF, BGP, and RIP.

Network Time Protocol Events:

Messages from the NTP daemon and client.

Wireless Events:

Messages from the Wireless AP daemon, hostapd.

To start logging remotely:

  • Navigate to Status > System Logs on the Settings tab

  • Check Send log messages to remote syslog server

  • Configure the options as described above

  • Click Save to store the changes.

If a syslog server is not already available, it is fairly easy to set one up. Almost any UNIX or UNIX-like system can be used as a syslog server. FreeBSD is described in the following section, but others may be similar.

Setup Syslog on the Logging Host

First, configure the syslog server to accept remote connections which means running it with the -a <subnet> or similar flag.

On FreeBSD, edit /etc/rc.conf and add this line:

syslogd_flags=" -a "

Where is the IP address of the pfSense firewall.

More complex allow rules for syslog are also possible, like so:

syslogd_flags=" -a*"

Using that parameter, syslog will accept from any IP address in the subnet (mask and the messages may come from any UDP port.

Now, edit /etc/syslog.conf and add a block at the bottom:


*.*                /var/log/pfsense.log

Where pfSense is the hostname of the pfSense firewall. An entry may also need to be added in /etc/hosts for that system, depending on the DNS setup. Logs may be split separate files. Use the /etc/syslog.conf file on the pfSense firewall for more details on which logging facilities are used for specific items.            pfsense

The log file may also need to be created manually with proper permissions:

touch /var/log/pfsense.log
chmod 640 /var/log/pfsense.log

Now restart syslog:

/etc/rc.d/syslogd restart

Other Logging Servers

Other log systems or styles such as Splunk, ELSA (Enterprise Log Search and Archive), Graylog, ELK (Elasticsearch, Logstash, and Kibana), or OpenSearch (open source fork of ELK components) may also be used but the methods for implementing them are beyond the scope of this document. If such a system is syslog-compatible, then the pfSense software side should be fairly simple to setup as it would be for any other syslog system.