Sending rule description field and rule changes audit via syslog in pf 2.2

yourcatbites

Hi,

I've upgraded to 2.2 and noticed the audit log changes described here:
https://doc.pfsense.org/index.php/Filter_Log_Format_for_pfSense_2.2

I have two questions:
1. Is it possible to edit the format in such way - it will send the rule description as well (besides the rule id) via syslog?
2. Is it possible to receive audit for rule/object modifications for example: "rule 10 was changed by user x", "ip added to ailas" etc..

Thanks!

jimp

Currently, the answer to both is no.

user2

4 year later, still true with pfsense 2.4.4.

I need the rule description in the syslog output, too!

If somebody could point me in the right direction, maybe I can modify a script or config file?

Thank all.

NogBadTheBad

301,,,1535801592,pppoe0,match,block,in,4,0x0,,243,61189,0,DF,6,tcp,40,185.53.88.19,x.x.x.x,239,8081,0,S,2859,,512,,

It does include the tracking ID if thats any help.

user2

Yes, absolutely. Thank you for pointing that out.

From the reference:
https://www.netgate.com/docs/pfsense/monitoring/filter-log-format-for-pfsense-2-2.html

In a remote log, the fifth field is:
<tracker> ::= <integer> -- Unique ID per rule, tracker ID is stored with the rule in config.xml for user added rules, or check /tmp/rules.debug

I need to figure out how to use that number from my syslog server, to lookup the rule description. So far, I'm closer, now using splunk to run a script:

| script pfsenselookup 1000000105

where pfsenselookup.py is

import sys
import os
matchstring=str(' '.join(sys.argv[1:]))
os.system("ssh user@192.168.1.1 pfctl -vvsr | grep '^@' | grep '{matchstring}'".format(matchstring=matchstring))

For example, results :

@11(1000000105) block drop in log inet6 all label "Default deny rule IPv6"