Remote Logging with Syslog¶
The Remote Logging options under Status > System Logs on the
Settings tab enable
syslog to copy log entries to a remote server.
The logs kept by pfSense® software on the firewall itself are of a finite size. Copying these entries to a syslog server can aid troubleshooting and allow for long-term monitoring. Having a remote copy can also help diagnose events that occur before a firewall restarts or after they would have otherwise been lost due to clearing of the logs or when older entries are cycled out of the log, and in cases when local storage has failed but the network remains active.
Corporate or local legislative policies may dictate the length of time an organization must retain log data from firewalls and similar devices. If an organization requires long-term log retention for their own or government purposes, a remote syslog server is required to receive and retain these logs.
Logs sent using this method are delivered in the clear (not encrypted) unless the logs are sent through a VPN or using a mechanism such as Stunnel package. As an alternative, consider using the syslog-ng package which supports encrypted syslog.
The following options are available for remote logging:
- Source Address
Controls where the
syslogdaemon binds for sending out messages. In most cases, the default (Any) is the best option, so the firewall will use the address nearest the target. If the destination server is across a tunnel mode IPsec VPN, however, choosing an interface or Virtual IP address inside the local Phase 2 network will allow the log messages to flow properly over a tunnel.
- IP Protocol
When choosing an interface for the Source Address, this option gives the
syslogdaemon a preference for either using IPv4 or IPv6, depending on which is available. If there is no matching address for the selected type, the other type is used instead.
- Remote Log Servers
Enter up to three remote servers using the boxes contained in this section. Each remote server can use either an IP address or hostname, and an optional UDP port number. If the port is not specified, the default syslogd port,
514, is assumed.
A syslog server is typically a server that is directly reachable from the firewall on a local interface. Logging can also be sent to a server across a VPN.
Do not send log data directly across any WAN connection or unencrypted site-to-site link, as it is plain text and could contain sensitive information.
The syslog daemon only supports sending messages over UDP. To send syslog messages over TCP, consider using the syslog-ng package.
- Remote Syslog Contents
The options in this section control which log messages will be sent to the remote log server.
When set, all log messages from all areas are sent to the server.
- System Events
Main system log messages that do not fall into other categories.
- Firewall Events
Firewall log messages in raw format. The format of the raw log is covered in Raw Filter Log Format.
- DNS Events
Messages from the DNS Resolver (
unbound), DNS Forwarder (
dnsmasq), and from the
filterdnsdaemon which periodically resolves hostnames in aliases.
- DHCP Events
Messages from the IPv4 and IPv6 DHCP daemons, relay agents, and clients.
- PPP Events
Messages from PPP WAN clients (PPPoE, L2TP, PPTP)
- General Authentication Events
Log messages about authentication events, such as for the GUI or certain types of VPNs.
- Captive Portal Events
Messages from the Captive Portal system, typically authentication messages and errors.
- VPN Events
Messages from VPN daemons such as IPsec and OpenVPN, as well as the L2TP server and PPPoE server.
- Gateway Monitor Events
Messages from the gateway monitoring daemon,
- Routing Daemon Events
Routing-related messages such as UPnP/NAT-PMP, IPv6 routing advertisements, and routing daemons from packages like OSPF, BGP, and RIP.
- Network Time Protocol Events
Messages from the NTP daemon and client.
- Wireless Events
Messages from the Wireless AP daemon,
To start logging remotely:
Navigate to Status > System Logs on the Settings tab
Check Send log messages to remote syslog server
Configure the options as described above
Click Save to store the changes.
If a syslog server is not already available, it is fairly easy to set one up. Almost any UNIX or UNIX-like system can be used as a syslog server. FreeBSD is described in the following section, but others may be similar.
Setup Syslog on the Logging Host¶
First, configure the syslog server to accept remote connections which
means running it with the
-a <subnet> or similar flag.
On FreeBSD, edit
/etc/rc.conf and add this line:
syslogd_flags=" -a 192.168.1.1 "
192.168.1.1 is the IP address of the pfSense firewall.
More complex allow rules for syslog are also possible, like so:
syslogd_flags=" -a 10.0.10.0/24:*"
Using that parameter, syslog will accept from any IP address in the 10.0.10.0 subnet (mask 255.255.255.0) and the messages may come from any UDP port.
/etc/syslog.conf and add a block at the bottom:
!* +* +pfsense *.* /var/log/pfsense.log
pfSense is the hostname of the pfSense firewall. An entry may
also need to be added in /etc/hosts for that system, depending on the
DNS setup. Logs may be split separate files. Use the /etc/syslog.conf
file on the pfSense firewall for more details on which logging facilities
are used for specific items.
192.168.1.1 pfsense pfsense.example.com
The log file may also need to be created manually with proper permissions:
touch /var/log/pfsense.log chmod 640 /var/log/pfsense.log
Now restart syslog:
Setting this up on Windows entirely depends on which syslog server is being used. Consult the documentation for more information on configuration.
There is a free multi-purpose utility that can act as a syslog server, which can be found here: http://tftpd32.jounin.net/
Kiwi Syslog Server is free for up to 5 devices. http://www.kiwisyslog.com/downloads.aspx
Configuration of the system logger on Linux depends on the distribution. Consult the distribution’s documentation on how to change the behavior of syslogd. It should be similar in many cases to the alterations in the FreeBSD section.
The configuration for OpenBSD is similar to FreeBSD, with the following notes:
The option to accept remote syslog events is
This option may be enabled using rcctl(8):
rcctl set syslogd flags -u
To restart the syslogd service:
rcctl restart syslogd
Other Logging Servers¶
Other log systems such as Splunk, ELSA, or ELK may also be used but the methods for implementing them are beyond the scope of this document. If such a system is syslog-compatible, then the pfSense software side should be fairly simple to setup as it would be for any other syslog system.