PfSense syslog and ELSA
-
If you're on 2.1, add this patch:
http://files.pfsense.org/jimp/patches/pf-log-oneline-option.diffAnd then check the box on the system log settings to force the firewall logs to one line.
If you're on 2.0.x, use this patch instead:
http://files.pfsense.org/jimp/patches/pf-log-oneline-option-2.0.x.diffRunning 2.1.1. Adding that patch always shows that it cannot be applied. Any tips?
-
Try this one:
http://files.pfsense.org/jimp/patches/pf-log-oneline-option-2.1.1.diff
-
Try this one:
http://files.pfsense.org/jimp/patches/pf-log-oneline-option-2.1.1.diff
Loading this page comes up with a 403 Forbidden error?
-
Try again now, I just noticed and fixed that
-
Works.. Thanks Jim.
-
Try this one:
http://files.pfsense.org/jimp/patches/pf-log-oneline-option-2.1.1.diff
Can apply that patch now, but it doesn't work. Logs are still split on 2 lines.
Diagnostics>Command Prompt:
$ /etc/rc.d/syslogd restart Stopping syslogd. Starting syslogd.log sample (sanitized)
2014-04-10T14:38:53+03:00 somehost pf: 00:00:31.932924 rule 3/0(match): block in on em1: (tos 0x0, ttl 54, id 48381, offset 0, flags [DF], proto TCP (6), length 60) 2014-04-10T14:38:53+03:00 somehost pf: xxx.xxx.xxx.xxx.53883 > yyy.yyy.yyy.yyy.80: Flags [s], cksum 0x158f (correct), seq 1628583023, win 14600, options [mss 1460,sackOK,TS val 2583988370 ecr 0,nop,wscale 7], length 0 [/s] -
Did you enable the option in the system log settings after applying the patch? It doesn't default to on.
-
Did you enable the option in the system log settings after applying the patch? It doesn't default to on.
Knew I would brainfart at some point today. Forgot about that setting, will try when I get back and report back.
Tested after upgrading to 2.1.2 and working as expected after enabling it in the settings. Thank you
-
Try this one:
http://files.pfsense.org/jimp/patches/pf-log-oneline-option-2.1.1.diff
any love for pfsense 2.1.2 and 2.1.3?
-
That patch works for me on 2.1.3.
-
I have had some issues with this patch also. Worked on most machines but one of them I had to remove the patch, reboot and then re-enable the patch to get it to work?
-
Does this work for 2.5
-
don´t work with pfsense 2.2
-
The patch is not needed on 2.2.
2.2 changed the native log format to be one line already: https://doc.pfsense.org/index.php/Filter_Log_Format_for_pfSense_2.2
-
Hi folks, I'm looking into teach myself how to write a syslog-ng parser for pfsense 2.2 output. There are a few fields where I want to query exactly what content might be in them because the documentation page isn't quite specific enough. If someone's already written a parser - great! I'll look at it after I've taught myself to do it first, and maybe learn if I've made any mistakes. But the learning comes first :D
Specifically, I need to know what I might encounter in the following fields:
- IP Flags - will it simply be "DNF" or "MF" or could it be more complicated?
- ECN - is it going to give the numeric value or a text representation?
- URG - will it say "set" or "true" or "urg" or something else?
-
Further to the above, I'm making good progress with the basic version of pfsense 2.2 firewall syslog events - just about have all IPv4 TCP/UDP working and will start on ICMP and IPv6 after that. One thing I don't have the facility to do at home is CARP, so I would very much appreciate it if people could post me some example CARP event messages for me to make sure my patterns are matching correctly.
