Syslog-ng forwarding via TCP not working?

mojimba

Hi all,

I'm trying to use the syslog-ng package to forward syslog logs from my pfSense to a Logstash syslog input. Unfortunately I'm limited to using TCP, so can't use pfSense built-in syslog forwarding.

The syslog-ng package has been installed and configured to receive events on LAN port 5140, and I have configured pfSense system logs to forward to that port via UDP. So far so good, I see the messages in the syslog-ng "Log Viewer" screen.

I thought all I needed to do now was add a new object in "Advanced" of type "Destination":

{ 
  network(
    "192.168.4.52" 
    port(9514)
    transport(tcp)
  );
};

No syntax errors etc when saving, but I don't see anything being sent to the other server. I performed a quick telnet test to the Logstash server IP:port from the pfSense console and it does connect (and I actually see my connection in Logstash logs too).

Any thoughts on what I'm missing?

Thanks!

flink4

Hi Mojimba,

If still interested or someone else needs it, I just solved it like this.

You have to create 2 objects:

Object Name _FORWARD
Object Type Destination
Object Parameters { udp("192.168.1.1" port(514)); };

Object Name _FORWARD
Object Type Log
Object Parameters { source(_DEFAULT); destination(_FORWARD); };

mojimba

@flink4 - thanks! I've hacked something else in place for the time being, but will try this out when I find the time!