PfSense syslog and ELSA
-
ICMP packages coming from pfSense are going into the CLASS=NONE group
I tested an icmp block rule and can confirm that ELSA is logging this as "class=none" instead of "class=FIREWALL_ACCESS_DENY"
You should post a request to the Google ELSA group.
-
Hi Jimp,
I have followed the following document -
And it was working for about a month or so, but recently any Ubuntu machine that is in a Site-Site Ipsec tunnel can not get any connectivity when this Manual route is implemented. All other traffic from Windows based machines seems to be unaffected by this, Including the Syslogs from pfSense being directed to a remote syslog server.
I have tried this on two different tunnels with different Ubuntu machines.
When I delete the manual route and restart apinger, it doesn't clear the issue. A full reboot of the pfSense box seems to fix it.
Do you have any suggestions?
Thanks for your help.
-
Ditch the route, update to 2.1.1, then Status > System Logs, Settings tab, pick LAN for the source address. :-)
-
Is 2.1.1 stable enough now? If there are no other choices, i guess I will test it out.
This is the reason why they invented "Alcohol!!"
-
It's still got a couple issues yet but it may be good enough for most uses.
Otherwise track down the commit(s) for the syslog source address selection and apply them manually.
-
Otherwise track down the commit(s) for the syslog source address selection and apply them manually.
Hi Jim,
I found this revision, https://redmine.pfsense.org/projects/pfsense/repository/revisions/53c5407e646028a003b2765a87dd3316b21a9497
Would the steps involved be to replace the two files with the ones on this site.
/etc/inc/system.ini
/usr/local/www/diag_logs_setings.php -
You should be able to use the system patches package to apply that patch. Taking the whole files might get other changes that would have unintended consequences.
-
Do you have a link that you could share?
-
http://doc.pfsense.org/index.php/System_Patches
-
Ditch the route, update to 2.1.1, then Status > System Logs, Settings tab, pick LAN for the source address. :-)
Hi Jimp,
Thanks for the direction on getting the Syslog to work thru the VPN tunnel. Works well!
I believe that "System:NOTIFICATION / SMTP" has this same issue.
I have "DNS Forwarder" set to forward "mail.domain.com" to a 10.10.10.5, I have the Notification "Email server" set to "mail.domain.com" and the emails never go out.
If I change the "Email Server" in Notification to 10.10.10.5, the emails don't go out.
When i change "mail.domain.com" to the External IP address of the mail server, the email go thru, as this sends the email out thru the internet to get to my mail server.
Would prefer the mail to stay within my VPN tunnel if possible.
-
Not relevant to this thread, but that would require a route, the smtp client doesn't have a way to force the source address. Start a new thread if you want to discuss alternatives.
-
Not relevant to this thread, but that would require a route, the smtp client doesn't have a way to force the source address. Start a new thread if you want to discuss alternatives.
Hi Jimp,
I posted my question to the group without any replies, would you have any suggestions?
https://forum.pfsense.org/index.php/topic,72149.msg394065.html#msg394065
-
The logs from pfsense for ICMP packets (and ESP, IGMP maybe other protocols as well) have more than one space in front of the ip address part (after applying the "oneline" patch). Therefore you need additional patterns in the patterndb.xml file of elsa, i.e.
for "class 2" - (FIREWALL_ACCESS_DENY)
<pattern>@ESTRING:: block in on @@ESTRING:s0:: (@@ESTRING::proto @@ESTRING:i0: @@ESTRING:: @@IPv4:i1:@@ESTRING:: @@ESTRING:: @@IPv4:i3:@@ANYSTRING@</pattern>
and for "class 3" - (FIREWALL_CONNECTION_END)
<pattern>@ESTRING:: pass in on @@ESTRING:s0:: (@@ESTRING::proto @@ESTRING:i0: @@ESTRING:: @@IPv4:i1:@@ESTRING:: @@ESTRING:: @@IPv4:i3:@@ANYSTRING@</pattern>
There is an additional 'problem' with the pfSense logs in elsa:
The delimiter between ip addresses an the port numbers is a "dot". This is no valid delimiter for the sphinx search engine of elsa. So the search for an ip address isn't working in elsa.To solve this issue I have added an addition sed command for external logging in pfsense in
/etc/inc/filter.inc to substitute this dots by a colon:$oneline = isset($config['syslog']['pflog_oneline']) ? " | /usr/bin/sed -l -e 'N;s/\\n //;P;D;' | /usr/bin/sed -l -e 's/\\(.* \ \)\\(\\([0-9]\\{1,3\\}\\.\\)\\{3\\}[0-9]\\{1,3\\}\\)\\.\\([0-9]\\{1,5\\}\\)\\( .* \\)\\(\\([0-9]\\{1,3\\}\\.\\)\\{3\\}[0-9]\\{1,3\\}\\) \\.\\([0-9]\\{1,5\\}\\)\\(.*\\)/\\1\\2:\\4\\5\\6:\\8\\9/' " : " ";
Maybe there is a better solution.
-
The logs from pfsense for ICMP packets (and ESP, IGMP maybe other protocols as well) have more than one space in front of the ip address part (after applying the "oneline" patch). Therefore you need additional patterns in the patterndb.xml file of elsa, i.e.
Maybe there is a better solution.
Did you try to post to the ELSA Google Group? Maybe they would have some suggestions?
https://groups.google.com/forum/#!forum/enterprise-log-search-and-archive
-
If you're on 2.1, add this patch:
http://files.pfsense.org/jimp/patches/pf-log-oneline-option.diffAnd then check the box on the system log settings to force the firewall logs to one line.
If you're on 2.0.x, use this patch instead:
http://files.pfsense.org/jimp/patches/pf-log-oneline-option-2.0.x.diffRunning 2.1.1. Adding that patch always shows that it cannot be applied. Any tips?
-
Try this one:
http://files.pfsense.org/jimp/patches/pf-log-oneline-option-2.1.1.diff
-
Try this one:
http://files.pfsense.org/jimp/patches/pf-log-oneline-option-2.1.1.diff
Loading this page comes up with a 403 Forbidden error?
-
Try again now, I just noticed and fixed that
-
Works.. Thanks Jim.
-
Try this one:
http://files.pfsense.org/jimp/patches/pf-log-oneline-option-2.1.1.diff
Can apply that patch now, but it doesn't work. Logs are still split on 2 lines.
Diagnostics>Command Prompt:
$ /etc/rc.d/syslogd restart Stopping syslogd. Starting syslogd.
log sample (sanitized)
2014-04-10T14:38:53+03:00 somehost pf: 00:00:31.932924 rule 3/0(match): block in on em1: (tos 0x0, ttl 54, id 48381, offset 0, flags [DF], proto TCP (6), length 60) 2014-04-10T14:38:53+03:00 somehost pf: xxx.xxx.xxx.xxx.53883 > yyy.yyy.yyy.yyy.80: Flags [s], cksum 0x158f (correct), seq 1628583023, win 14600, options [mss 1460,sackOK,TS val 2583988370 ecr 0,nop,wscale 7], length 0 [/s]