Firewall syslog logging - who can explain the pf logs?

skywalker

Hello!
I am about to write a pfsense log parser for a SIEM solution.
Can someone give me some insights about the format of the pf logs?
I have enabled remote syslog (only for the firewall for now) and it seems I always see two lines per connection attempt:

<134>Apr 25 09:37:26 pf: 00:00:00.516263 rule 1/0(match): block in on vr1: (tos 0x0, ttl 46, id 48817, offset 0, flags [none], proto UDP (17), length 129)
<134>Apr 25 09:37:26 pf:     114.228.117.207.16001 > 10.2.1.2.6881: UDP, length 101

In each line there is a length field, but they have different values, even though this is the same connection (obviously).
Can someone shed some light on that? Is the first the length of the IP packet and the second the length of the UDP payload part?

thanks, Till

tlum

I logged it as a bug but fixing it ended up as a feature request. Good luck.

http://redmine.pfsense.org/issues/1938

tlum

Oh, and the first one is the Internet Layer (IP) length and the seconds is the Transport Layer (UDP) length.

skywalker

Thanks for your feedback.
If we do change things anyway, it would also make sense to send a hostname or IP address within the syslog header to make it more RFC compliant.
Would you like to add that to your feature request?