Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Logs to remote syslog server not working

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 6 Posters 7.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      reilos
      last edited by

      Hi there,

      I'm trying to get pfSense to log to my syslog server. Other devices (a NAS and a switch) in the same subnet have no problems with logging to the syslog server, it's only the pfSense box. I've set the options:

      Source Address: LAN (also tried default/any)
      IP Protocol: IPv4
      Enable Remote Logging: CHECKED (duh…)
      Remote Syslog Servers: 192.168.1.104
      Remote Syslog Contents: Everything

      Any ideas?

      1 Reply Last reply Reply Quote 0
      • D
        dvancleef
        last edited by

        On some platforms, by default syslogd only accepts packets from source port 514, have you investigated that?

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          Nothing more than that to it. Assuming it's a live IP, it'll send there. Filter Diag>States for :514 and you can see if it's getting passed out. Packet capture on LAN filtered on port 514 to see it going to the server. Likely it's going to the server and the server's not doing with it what you're expecting.

          1 Reply Last reply Reply Quote 0
          • R
            reilos
            last edited by

            State:

            LAN	udp	172.30.35.1:514 -> 172.30.35.104:514	SINGLE:NO_TRAFFIC
            

            I'm no expert, so i had to look this one up from here:

            udp.single = The state if the source host sends more than one packet but the destination host has never sent one back.

            If if understand correctly, the source host (my pfSense box) is actually sending out the syslog messages via the right port to the right client host (my syslog server) on the correct port, but the client never sent any packet back.

            Should there be packets sent back?

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              Not with syslog over UDP, it won't send anything back, so that's normal. The state shows the packets leaving, so perhaps they never arrive at the server. Or, more likely, the target server is filtering or rejecting them in some way.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • R
                reilos
                last edited by

                @jimp:

                Not with syslog over UDP, it won't send anything back, so that's normal. The state shows the packets leaving, so perhaps they never arrive at the server. Or, more likely, the target server is filtering or rejecting them in some way.

                Yeah, thats what i thought. I'm looking into other solutions, like ELK (Elasticsearch, Logstash, Kibana). Seems that setting up a syslog server with analytics is not as easy as i hoped.

                1 Reply Last reply Reply Quote 0
                • K
                  kapara
                  last edited by

                  Check out papertrail.  It's hosted and free for most needs.  Even has alerting built in.  Depending on your environment.. I use one of my PC to transmit logs securely.

                  Skype ID:  Marinhd

                  1 Reply Last reply Reply Quote 0
                  • R
                    reilos
                    last edited by

                    @kapara:

                    Check out papertrail.  It's hosted and free for most needs.  Even has alerting built in.  Depending on your environment.. I use one of my PC to transmit logs securely.

                    Thanks, but I'm only lokking for an on-site solution, since having an off-site syslog server doesn't help me much when my gateway has issues and i can't access the logs  ;)  And the installation itself is not that hard, it's the configuration / tweaks to get things going for specific devices (like pfSense) that is not as straightforward as i hoped.

                    1 Reply Last reply Reply Quote 0
                    • C
                      c1pher22
                      last edited by c1pher22

                      I've just encountered this issue setting up my remote logging for the first time. Using Syslog-NG, I had to include 'create_dirs(yes)' in my syslog-ng.conf file.

                      Example:

                      destination d_remote {
                      file("/var/log/remote/$HOST/$YEAR/$MONTH/$DAY/syslog.log"
                      create_dirs(yes));
                      };

                      Cheers!

                      1 Reply Last reply Reply Quote 1
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.