Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Syslog-ng Basic Questions

    pfSense Packages
    3
    3
    1.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pf123user
      last edited by

      First question: Is there any sentiment from the community whether or not it is good practice, or not, to use pfSense to log a whole bunch of stuff on your network?

      Second question: TCP or UDP as default? Under the Advanced tab can I change it so that both TCP and UDP are dumped into the same file or will that blow up the world?

      Third question: Multiple Log Files and the package web GUI on the pfSense web GUI. I assume that you must select enable, either accept or create a default "catch-all" log file location, and then from there you can go over to advanced and enter whatever else you want for supplementary logging and/or log file names and locations?

      I didn't find much tutorial or informational documentation on the web but perhaps I didn't look hard enough. Is there anything out there?

      As an overall bigger picture, I'd like to set up one main "catch-all" log file per interface. From there, I would like to set up additional, secondary or tertiary log files for individual machines, such as a secondary log file as a "catch-all" to record everything from a specific IP address, and then a tertiary log file for a specific program/protocol within a or from a specific IP address.

      Ideally I would dump everything into one file and use filtering however I have a combination of TCP and UDP on each interface which is how I got to where I am.

      I'm looking for one specific TCP error/message and one specific UDP error/message coming from one IP address. I have a test/dev pfSense machine running as a VM with a few subnets and VMs connected.

      Thanks.

      1 Reply Last reply Reply Quote 0
      • BBcan177B
        BBcan177 Moderator
        last edited by

        I would stay away from Syslog-NG as it seems to have been removed from the next release of pfSense 2.2.3. Not to say that the package won't get some updates to fix what ever is wrong with it (I don't use the package so I am just speculating)

        <configurationfile>syslog-ng.xml</configurationfile>
                        <maximum_version>2.2.999</maximum_version>

        https://github.com/pfsense/pfsense-packages/commit/548f3103e8bc755e2864d49811a3839aa33bad1d

        You can use other Remote Solutions that would be better than trying to use pfSense for this purpose. Like "Security Onion" or ELK.

        http://blog.securityonion.net/p/securityonion.html

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • W
          wbedard
          last edited by

          I have been following the progress of the syslog-ng package for pfSense as I have been wanting to provide long-term logging as well as increased flexibility over pfSense's standard logging solution.  While the package still has some issues, recent bug-fix commits have at least allowed me to get it setup on my router and it is working pretty much the way I want.  I think there's still an issue with the log-rotate and compress feature but I haven't looked into it yet to see if I can fix it myself.

          If you would like to experiment with syslog-ng, I would be more than willing to help you out!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.