• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Sending rule description field and rule changes audit via syslog in pf 2.2

Scheduled Pinned Locked Moved General pfSense Questions
5 Posts 4 Posters 786 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • Y
    yourcatbites
    last edited by Jan 26, 2015, 6:52 AM

    Hi,

    I've upgraded to 2.2 and noticed the audit log changes described here:
    https://doc.pfsense.org/index.php/Filter_Log_Format_for_pfSense_2.2

    I have two questions:
    1. Is it possible to edit the format in such way - it will send the rule description as well (besides the rule id) via syslog?
    2. Is it possible to receive audit for rule/object modifications for example: "rule 10 was changed by user x", "ip added to ailas" etc..

    Thanks!

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Jan 29, 2015, 12:16 AM

      Currently, the answer to both is no.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • U
        user2
        last edited by Feb 2, 2019, 8:33 PM

        4 year later, still true with pfsense 2.4.4.

        I need the rule description in the syslog output, too!

        If somebody could point me in the right direction, maybe I can modify a script or config file?

        Thank all.

        1 Reply Last reply Reply Quote 0
        • N
          NogBadTheBad
          last edited by Feb 3, 2019, 8:04 PM

          301,,,1535801592,pppoe0,match,block,in,4,0x0,,243,61189,0,DF,6,tcp,40,185.53.88.19,x.x.x.x,239,8081,0,S,2859,,512,,

          It does include the tracking ID if thats any help.

          Andy

          1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

          1 Reply Last reply Reply Quote 0
          • U
            user2
            last edited by user2 Feb 4, 2019, 3:58 AM Feb 4, 2019, 3:33 AM

            Yes, absolutely. Thank you for pointing that out.

            From the reference:
            https://www.netgate.com/docs/pfsense/monitoring/filter-log-format-for-pfsense-2-2.html

            In a remote log, the fifth field is:
            <tracker> ::= <integer> -- Unique ID per rule, tracker ID is stored with the rule in config.xml for user added rules, or check /tmp/rules.debug

            I need to figure out how to use that number from my syslog server, to lookup the rule description. So far, I'm closer, now using splunk to run a script:

            | script pfsenselookup 1000000105
            

            where pfsenselookup.py is

            import sys
            import os
            matchstring=str(' '.join(sys.argv[1:]))
            os.system("ssh user@192.168.1.1 pfctl -vvsr | grep '^@' | grep '{matchstring}'".format(matchstring=matchstring))
            

            For example, results :

            @11(1000000105) block drop in log inet6 all label "Default deny rule IPv6"
            
            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              [[user:consent.lead]]
              [[user:consent.not_received]]