Logs Questions - Newbie
-
Morning All,
Firstly I am very new to PFSense and linux in general but following the extensive resources here have been able to get PFSense installed on an old Netbook, configured a couple of Vlans due to the netbook only having one network card, configured a managed switch and got open VPN to work.
I have searched the forums several times but cant find answers to these:
1. Can the PFSense machine also have a logging server installed? Basically I would like to have the log files sent by e-mail each day so they are not lost. From what I have read this would need a logging server as PFSense keeps the logs in memory. Is there a how to guide for "idiots" on installation and configuration? (Remember I am completely new to Linux)
2. I use no-ip DNS, have configured this in PFSense and would like to log each time my ISP changes the IP address. Is this possible?
3. The firewall log has many entries that are not important. Is there a log management feature where you can specify what events are logged?
Really appreciate any help that you can give.
-
1. You want to configure a remote syslog server (you don't do it by email) - see this documentation
2. The DNS servers you use has no relation on the IP address your ISP allocates you. You'll almost certainly find that the change of IP is already logged in the system logs (syslog), but I can't confirm since my WAN IP hasn't changed in a long time
-
2. Yep, the Dynamic DNS IP changes go into syslog, so they will get to your syslog server. If your pfSense WAN is connected directly to your ISP (WAN has the real public IP) then a change of the WAN IP should trigger the Dynamic DNS update process. If you find you have issues with the dynamic address being up-to-date on No-IP, then you can make the dynamic DNS update checker run however often you like to double-check the value - e.g. in the screen shot mine runs every 15 minutes. Install the Cron package to get the ability to edit the regular Cron job.
3. For every firewall rule (pass, block and reject) you can specify whether to log packets that match the rule. So you can go beserk with logging or cut it right down - your choice.
-
3. You can also stop logging packets blocked by the default rule in: Status: System logs: Settings:. Then it will only log stuff blocked by your rules and only where you have enabled logging.
Also, for information: pfSense is built on FreeBSD. FreeBSD is not Linux. ;)
Steve
-
Many thanks guys for all your help here. I will read through the links this evening and see how far I get.
And Steve many thanks for the correction regarding the OS. ;o) Time to read up on FreeBSD also :).
-
Gents,
Got a little bit further… :) got SSH to work so I could Putty to connect to the server using this guide:
http://doc.pfsense.org/index.php/HOWTO_enable_SSH_access
Then checked around and read on how to edit files in FreeBSD. Next, feeling confident tried to follow the link provided by Cry Havok. Here I am stuck as there is no rc.conf on my system. I checked around and its not included on the pfSense distribution. There is a document here that tries to explain what I need to do but I am unsure how to follow it:
http://doc.pfsense.org/index.php/Installing_FreeBSD_Packages
Basically I want the syslog server to be configured on the same box as pfSense.
As always would really appreciate some guidance. :)
-
Some people have done that but it's not in any way a supported setup.
Search the forum.Steve
Edit: For example: http://forum.pfsense.org/index.php/topic,7793.0.html That post inclueds doing other stuff and it's now way out of date! However it shows what's needed. Install syslog-ng, configure it, set it up to run at boot.
-
Then checked around and read on how to edit files in FreeBSD. Next, feeling confident tried to follow the link provided by Cry Havok. Here I am stuck as there is no rc.conf on my system. I checked around and its not included on the pfSense distribution. There is a document here that tries to explain what I need to do but I am unsure how to follow it:
No, you want to scroll to the bottom of that link where it says Setup pfSense for Remote Logging. There's nothing fancy about it - tick a few boxes and enter a hostname/LAN IP.
Basically I want the syslog server to be configured on the same box as pfSense.
pfSense is already storing its own logs, you REALLY don't want to forward its logs to itself. Besides, you said you didn't want the logs lost if you restart the pfSense box - that means you have to run the syslog server somewhere else.
-
Just an up date say I have finally got the logs to be mailed out direct from PFSense.
After going down the complete wrong track with setting up a syslog server, trying external syslog servers (splunk) and generally having a play with the system the solution I was looking for was a simple installation of a known package.
Once I found mailreport from packages and installed it it took 5 mins to configure and now the logs (and a couple of graphs) are automatically mailed for storage.