[HOWTO] pfSense logs to remote syslog server respecting RFC5424
-
Hello there.
as stated in some post in this forum (for example: https://forum.pfsense.org/index.php?topic=12143.msg66217;topicseen#msg66217 ) the syslogD is not respecting the RFC5424 standard.
So exporting the pfsense syslog directly to another server could be messy (normally you will filter the log by sourceIP but behind a loadbalancer this could be a problem).The quick and dirty solution:
- Install syslog-ng from packages
- configure syslog-ng to be listening on the DMZ/LAN interface on the port you like most (5140 by default is fine for me).
- Set the Remote syslog server #1 (from "Status: System logs: Settings") to point to the DMZ/LAN address (for me is 192.168.0.1:5140)
- Go to back to Services: Syslog-ng Advanced and add a new item as in the attachment.
Obviously susbstitute the "my-remote-syslog-server" and port with what you actually need
![Schermata 2015-08-14 alle 11.59.49.png](/public/imported_attachments/1/Schermata 2015-08-14 alle 11.59.49.png)
![Schermata 2015-08-14 alle 11.59.49.png_thumb](/public/imported_attachments/1/Schermata 2015-08-14 alle 11.59.49.png_thumb)
-
rsyslog is a better bet, besides having all eggs in one basket is risky especially if your fw gets pwnd, so somethings like syslogs are best set to an individual syslog server.
-
Hello !
Can you re-upload the setting? It is desirable in text form, as attachments no longer download
Thanks!
-
@andrsharov
I found that simply installing the syslog-ng package 1.15_3 on pfsense 2.4.4 changed the message format. I did not configure anything in syslog-ng, I did not even enable syslog-ng.
Before installation of syslog-ng my input in Graylog did not recognize any messages from pfsense. After the installation they get recognized. -
That option is in 2.5 already:
https://redmine.pfsense.org/issues/9808