I would like to see my logs a bit more… clear and understandable

czar666 · Aug 3, 2016, 3:26 PM

Hi,
My firewall logs are sent to a remote syslog server. They are coming in so everything is fine. Now I would like to see them in a more comprehensive manner.
In the pfSense book they are talking about # clog /var/log/filter.log | filterparser.php. And that helped. But that's on the pfSense box, not on my syslog server. I added a screenshot to this post. Btw, if someone has other options to check logs, please share. I read something about Splunk, Opennms and Nagios but I admit I still have to check those options. Oh and I just want to add that it's for SOHO. So nothing too fancy or no overkill. I just want to experiment and learn. Thanks in advance.

jimp · Aug 3, 2016, 7:48 PM

You'll need to have something parse them on the syslog server in that case. There isn't a supported way to send the formatted log entries over, just the raw data. It's easy to parse since it's CSV style data and we have the format documented: https://doc.pfsense.org/index.php/Filter_Log_Format_for_pfSense_2.2

AR15USR · Aug 3, 2016, 9:10 PM

There is a pre-made pfELK virtual machine you could try:

https://www.reddit.com/r/PFSENSE/comments/4dymci/i_made_a_simple_bare_bones_simple_elk_vm_for/