Pfsense log to log management system
-
I am current try to feed pfsense 2.1 log to a log management system.
When I try to look into log and I found log is not like traditional pf log I can see pass in / pass out / block in / block out statement on log handled by rules, and what I have got in the logs look like:Pass log:
Oct 8 15:40:56 xxxx pf: xxx.168.xxx.xxx.59641 > xxx.xxx.xxx.132.443: Flags ~~, cksum 0x0d81 (correct), seq 3464546058, win 65535, options [mss 1360,nop,wscale 4,nop,nop,TS val 202297292 ecr 0,sackOK,eol], length 0Block log:
Oct 8 16:00:07 xxxx pf: xxx.xxx.xxx.121.6000 > xxxx.xxxx.xxxx.123.443: Flags ~~, cksum 0x15ff (correct), seq 169213952, win 16384, length 0Is there anyway simple way I can tell which is pass log and which is block log? Thanks in advise.~~~~
-
You have only listed the second line of each.
The pass and block log records are split over two lines.
2013-10-08 01:46:57 Local0.Info 192.168.11.1 Oct 8 01:46:57 pf: 00:31:53.784151 rule 92/0(match): pass in on em0: (tos 0x0, ttl 39, id 35779, offset 0, flags [none], proto TCP (6), length 60) 2013-10-08 01:46:57 Local0.Info 192.168.11.1 Oct 8 01:46:57 pf: aaa.bbb.82.50.37914 > xxx.yyy.34.12.25: Flags [s], cksum 0x9272 (correct), seq 399763710, win 62920, options [mss 1430,sackOK,TS val 3410115388 ecr 0,nop,wscale 6], length 0 This is a "feature" - [url]https://redmine.pfsense.org/issues/1938[/url]. Unfortunately, I've never been able to make the fix work.[/s]
-
Try this patch on 2.1:
http://files.pfsense.org/jimp/patches/pf-log-oneline-option.diff -
Thanks and the patch work
-
Great, thanks Jim.
-
No good, sadly. Tried rebooting too.
2013-10-10 19:50:40 Local0.Info 192.168.11.1 Oct 10 19:48:22 pf: 00:00:00.000000 rule 92/0(match): pass in on em0: (tos 0x0, ttl 55, id 60193, offset 0, flags [DF], proto TCP (6), length 64) 2013-10-10 19:50:40 Local0.Info 192.168.11.1 Oct 10 19:48:22 pf: aaaa.bbbb.168.152.35251 > xxxx.yyyy.34.12.25: Flags [s], cksum 0x748d (correct), seq 2705755449, win 54658, options [mss 1460,nop,nop,TS val 1644061776 ecr 0,nop,wscale 4,nop,nop,sackOK], length 0 I'm running 2.1-RELEASE (amd64) and only other patch is Marcelloc's interface name patch. Both show "revert". Anything I can provide to help to find the problem? [/s]
-
After applying the patch go into the settings tab on the system logs and check the box to activate it.
-
That did it.
Thanks again.