Monitoring pfBlockerNG with SyslogNG: but SyslogNG sends the same entire log file each hour to Syslog Server
-
Dear Users,
I just installed and configured pfBlockerNG on a pfSense 2.6 instance and I decided to monitor the pfBlockerNG using SyslogNG.
SyslogNG collect the relevant logs (file /var/log/pfBlockerNG/IP_block.log) and send them to the log collector (SIEM).So, at the end of this work, I'm able to analyse the logs using the web UI of the SIEM (Wazuh in my case).
PROBLEM: I noticed that, on a hourly basis, the entire log file content is sent to the SIEM. Due to this behaviour, the same alerts are processed multiple times by the SIEM.
Could you please help me to stop this anomaly? Anyone of you already faced this problem?
Thank you in advance,
Mauro -
@mauro-tridici yeah, i noticed the same issue - only in My case it happens once a day (02:00) because thats when i Have pfblocker doing its update.
It seems when pfblocker updates it reloads the logfile in a manner that causes syslog-ng think all the Lines are new.
I have been unable to find a solution so far, so I’ll monitor that thread to see if anyone has a solution -
@keyser thank you for your feedback.
I hope someone will give us a solution :) Meanwhile, I can set the pfBlocker update to "once a day (02:00)" as you did.
What do you think about this "workaround" to reduce the reloads events?Have a great weekend,
Mauro -
@mauro-tridici To be honest i set mine up to daily updates months before I started using Syslog-ng, because I thought hourly updates are unnessecary. Even on daily updates it’s rare there is changes to the lists that I use, so this is a fine compromise for me.
