pfBlockerNG syslog logentries to remote SIEM
-
Hi All.
A few years back there was no real good way of getting pfBlockerNG log files to a remote SIEM as pfBlocker had no built-in syslog support.
The way pfBlockerNG rotated log files caused the entire log content to be resent/duplicated when the CRON update job ran if you used the syslog-ng package to monitor the log files.A Ticket has been open on this for years: https://redmine.pfsense.org/issues/14878
I can still not find any builtin syslog support, and the log file lines are also still in their own format as opposed to standard Syslog format.
Have anyone come up with a good solution to getting pfBlockerNG log files shipped to a SIEM without various workarounds, reformatting and extra packages needed?
-
I am considering a “novel” solution to this lack of syslog support in pfBlockerNG.
The obvious way would still be to use syslog-ng but I’m instead considering using the builtin syslogd in pfsense as that is already shipping pfsense logentries to my siem.It seems it would be quite simple to use the SHELLCMD package to run a small daemon script at startup that monitors the needed pfBlocker logfiles with “tail -F” and then converts the contents into a more syslog friendly format before piping that into “logger” with the local0 facility as destination. That destination is already syslogged of to my SIEM by the builtin syslogd setup in pfSense. This would probably still see everything being shipped in duplicates because of how pfBlockerNG rotates its logs (if that has not been fixed), but this way I could adapt the script to skip entries in the 1 minute timeframe when the pfBlocker reload happens.
That it still a rather shitty and complicated solution requiring a package, but it seems builtin syslog support is not in the pfBlockerNG development priority list, so a manual workaround is required.
-
I so want to answer this, but then at the same time (no I don't) ...
pfblocker using syslog messaging in real time. no tailing of files, no other packages, just code.
PS. don't look at the Graylog dashboard menu bar presented - it might lead to more questions
..
-
@jrey said in pfBlockerNG syslog logentries to remote SIEM:
I so want to answer this, but then at the same time (no I don't) ...
pfblocker using syslog messaging in real time. no tailing of files, no other packages, just code.
Huuuh? That seems very very interesting
I noticed your name in other posts around the forum where you seemed to be QUITE proficient at coding/developing. Are you by any chance considering involvement in developing and refining the pfBlockerNG package?
It would be SO great if you are looking into adding native syslog to the pfBlockerNG package - or an easy workaround that does not require additional packages and “temporary” edits in files that does not survive service restarts or pfSense updates.Here’s
that you will fill me/us in on the solution you are using to your Greylog - please, pretty please with sugar on top 
