How to send rule name to syslog?
-
Hi,
I've just installed the pfSense 2.2.4, it is required for me to forward logs to syslog for further analysis/audit. And I was shocked to find that logs are sent without rule name (just rule ID - which is hidden anyway in GUI). This is most basic feature which I think most firewalls support. The logs are presented with rule name in GUI, but I see no way to forward it to syslog server in such format. Is there any possibility to include rule name in the logs sent to syslog?
-
No, there's no such possibility. There's no rule name in the first place, the are just labels, see
pfctl -vvsr output
for what I mean. Only the tracker ID is quaranteed to be unique, the label doesn't need to exist at all. -
Why then labels are not included in the log events? Addresses or protocol names is also not unique, yet these are included in the logs. To me lack of this really basic feature is ridicolous for product which is so mature. I can't name any other firewall product which can't send rule names/labels in logs (CheckPoint, PaloAlto, Juniper, Dlink - they all can do it since start). This is really weird as the information is accessible locally (even in the log view), but can't be send to remote logging server, this is absurd.
-
I didn't write it, don't ask me. The remote syslogs are broken incompatible crap anyway, syslogd completely sucks for this.
https://redmine.pfsense.org/issues/1940
-
What do you mean by incompatibile crap? Are there any other available connectors to remote log servers? The connector itself works fine, however logging format is just crap.
-
As referenced on the bug above. Sending logs in cleartext is something that immediately makes the entire feature useless for tons of people. In addition to that - as soon as you start this remote logging from a bunch of different OSes or even OS versions on some syslog server, you just get a giant piece of mess where you don't even know where it came from in the first place (such as the hostname missing). That's the entire experince I've got from playing with central logging of stuff from various routers/NAS boxes and servers. RFC-3164 is just sci-fi. Waste of time.
-
I see, the syslog can be probably stunneled, but lack of source hostname, damn… pfSense logging is just crap.
-
It's not just pfSense; this is incompatible crap in general. What I can recommend
- install syslog-ng package
- configure as required
- get the logs rotated as required
- pull the rotated archived logs from the box
- store/parse/do whatever else needed with those
Push approach -> miserable fail.
-
Even with syslog-ng I still wont be able to get proper event fields (like rule label). Its fairly easy to make some workarounds for stream encryption and even for hostname (can be done with syslog-ng), but lack of important fields in event logs is just pure pfSense crap.
-
Afraid you are barking up the wrong tree here. It simply ain't supported by pflog(4) at all. Install whatever FreeBSD system and you won't get any labels logged either.
-
It looks that pfSense adds many fields to pfLog structure (like anchor text), they could make it in the GUI (where logs are processed and include rule name), they could do it in syslog stream as well.
-
Good luck waiting for this…