Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    System Logs Format (rsyslog)

    Scheduled Pinned Locked Moved General pfSense Questions
    17 Posts 4 Posters 2.5k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S Offline
      stephenw10 Netgate Administrator
      last edited by

      There is no way of doing that I'm aware of. Certainly not within normal pfSense config.

      Do you need to do that on pfSense itself? Or can you export the logs via syslog to, maybe, rsyslog on something else and convert it there?

      Steve

      1 Reply Last reply Reply Quote 0
      • arrmoA Offline
        arrmo
        last edited by

        That makes sense. I did a bit of digging, and in BSD v12 syslog does support the official (RFC 5424 format). But not in v11.x.

        Not sure I understand your rsyslog comment - can you clarify? rsyslog doesn't exist on pfSense, does it?

        Thanks!

        1 Reply Last reply Reply Quote 0
        • stephenw10S Offline
          stephenw10 Netgate Administrator
          last edited by

          Indeed it doesn't. I was suggesting exporting it to something else and converting there before sending it to the log analyser.

          I've never tried that myself.

          Steve

          1 Reply Last reply Reply Quote 0
          • arrmoA Offline
            arrmo
            last edited by

            Ahh, OK - NP. Thanks for the idea! Will dig more.

            To be honest, if I go to v2.5 of pfSense the issue goes away (i.e. RFC5424 support is there, directly in syslog). Just not sure how stable v2.5 is.

            Thanks again.

            stephenw10S 1 Reply Last reply Reply Quote 0
            • stephenw10S Offline
              stephenw10 Netgate Administrator @arrmo
              last edited by

              It's quite stable on x86-64. I've been running it for months on numerous boxes with no issues. Is is still in dev though so the normal precautions apply etc... 😉

              Steve

              1 Reply Last reply Reply Quote 1
              • arrmoA Offline
                arrmo
                last edited by

                No worries, understand the caveats, legal-ize, etc. ... LOL.

                Thanks! I may go this way - then of course need to see if I can tweak the output format (i.e. need to modify the syslogd options a bit, to output the needed format).

                Thanks again.

                1 Reply Last reply Reply Quote 0
                • arrmoA Offline
                  arrmo
                  last edited by

                  OK, shifted to v2.5, seem to have the new and improved version of syslogd ... :-). Meaning, the -O format option exists. Perfect!

                  Now, how to modify the execution script to have this added to the command? I just need to find that.

                  1 Reply Last reply Reply Quote 0
                  • arrmoA Offline
                    arrmo
                    last edited by

                    Checked the output, working great now - thanks for all the help!

                    Need to figure out the next step - would be nice to have this as a (GUI) option ... it's pretty simple. Just need to figure out how / where to suggest it.

                    Thanks again.

                    1 Reply Last reply Reply Quote 0
                    • kiokomanK Offline
                      kiokoman LAYER 8
                      last edited by

                      i still see syslogd on my 2.5.0
                      you can place additional configuration files in /var/etc/syslog.d
                      best place to ask for new features is https://redmine.pfsense.org/

                      ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                      Please do not use chat/PM to ask for help
                      we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                      Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S Offline
                        stephenw10 Netgate Administrator
                        last edited by

                        Yup or pull-requests directly in github: https://github.com/pfsense

                        Steve

                        1 Reply Last reply Reply Quote 0
                        • jimpJ Offline
                          jimp Rebel Alliance Developer Netgate
                          last edited by

                          I made an issue for it here: https://redmine.pfsense.org/issues/9808

                          Should be simple enough to code, I'll get to it before long, assuming someone doesn't send in a PR first.

                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          1 Reply Last reply Reply Quote 2
                          • arrmoA Offline
                            arrmo
                            last edited by

                            Thanks! I was going to do that - just hadn't had a chance to yet.

                            1 Reply Last reply Reply Quote 0
                            • kiokomanK Offline
                              kiokoman LAYER 8
                              last edited by kiokoman

                              yes ... it was easy to add the gui fuction

                              Immagine.jpg

                              the problem is that if i set rfc5424
                              remote syslog still work

                              [2.5.0-DEVELOPMENT][root@pfSense.localdomain]/usr/local/www: ps aux | grep syslogd
                              root  76833   0.0  0.1  11376   2836  -  Ss   23:18       0:00.03 /usr/sbin/syslogd -s -c -c -l /var/dhcpd/var/run/log -P /var/run/syslog.pid -f /etc/syslog.conf -O rfc5424
                              root  62262   0.0  0.1  11144   2636  0  S+   23:19       0:00.00 grep syslogd
                              [2.5.0-DEVELOPMENT][root@pfSense.localdomain]/usr/local/www: ps aux | grep syslogd
                              root  74853   0.0  0.1  11376   2836  -  Ss   23:20       0:00.07 /usr/sbin/syslogd -s -c -c -l /var/dhcpd/var/run/log -P /var/run/syslog.pid -f /etc/syslog.conf -O rfc3164
                              root   3527   0.0  0.1  11144   2636  0  S+   23:30       0:00.00 grep syslogd
                              

                              this are just example
                              on my rsyslog server, there is only the hostname instead of the ip, it is able to filter the incoming log

                              Oct  3 23:19:39 pfSense.localdomain radvd[28029] resuming normal operation
                              Oct  3 23:19:55 pfSense.localdomain radvd[28029] IPv6 forwarding on interface seems to be disabled, but continuing anyway
                              Oct  3 23:19:55 pfSense.localdomain radvd[28029] message repeated 2 times: [IPv6 forwarding on interface seems to be disabled, but continuing anyway]
                              Oct  3 23:20:09 172.17.0.254 radvd[28029]: attempting to reread config file
                              Oct  3 23:20:09 172.17.0.254 radvd[28029]: IPv6 forwarding on interface seems to be disabled, but continuing anyway
                              Oct  3 23:20:09 172.17.0.254 radvd[28029]: message repeated 5 times: [ IPv6 forwarding on interface seems to be disabled, but continuing anyway]
                              

                              anyway this is what is written inside pfsense

                              <190>1 2019-10-03T23:19:39.586931+02:00 pfSense.localdomain dhcpd 57488 - - Listening on Socket/6/ix0/2001:470:26:5dc::/64
                              <190>1 2019-10-03T23:19:39.586942+02:00 pfSense.localdomain dhcpd 57488 - - Sending on   Socket/6/ix0/2001:470:26:5dc::/64
                              <190>1 2019-10-03T23:19:39.586942+02:00 pfSense.localdomain dhcpd 57488 - - Sending on   Socket/6/ix0/2001:470:26:5dc::/64
                              <190>1 2019-10-03T23:19:39.587172+02:00 pfSense.localdomain dhcpd 57488 - - Server starting service.
                              <190>1 2019-10-03T23:19:39.587172+02:00 pfSense.localdomain dhcpd 57488 - - Server starting service.
                              Oct  3 23:20:08 pfSense dhcpd[85579]: Internet Systems Consortium DHCP Server 4.4.1
                              Oct  3 23:20:08 pfSense dhcpd[85579]: Internet Systems Consortium DHCP Server 4.4.1
                              Oct  3 23:20:08 pfSense dhcpd[85579]: Copyright 2004-2018 Internet Systems Consortium.
                              Oct  3 23:20:08 pfSense dhcpd[85579]: Copyright 2004-2018 Internet Systems Consortium.
                              Oct  3 23:20:08 pfSense dhcpd[85579]: All rights reserved.
                              Oct  3 23:20:08 pfSense dhcpd[85579]: All rights reserved.
                              

                              but from the gui i'm unable to see any log (i see only rfc3164) , i think that log filters also need to be adjusted based on rfc selected. and ... well ... that it's not easy for me 😂

                              ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                              Please do not use chat/PM to ask for help
                              we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                              Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                              1 Reply Last reply Reply Quote 0
                              • jimpJ Offline
                                jimp Rebel Alliance Developer Netgate
                                last edited by

                                Finally had time to pivot back to this one. I pushed a fix that seems to do a decent job of parsing dynamically, even when the logs contain a mix of entries in different formats.

                                It should show up in snapshots soon.

                                https://redmine.pfsense.org/issues/9808
                                https://github.com/pfsense/pfsense/commit/b16c3a12c61c117e9c8140b115efc7f9acea96c5

                                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                Need help fast? Netgate Global Support!

                                Do not Chat/PM for help!

                                arrmoA 2 Replies Last reply Reply Quote 4
                                • arrmoA Offline
                                  arrmo @jimp
                                  last edited by

                                  @jimp Awesome, thanks! Will give it a try once it's in a snapshot. Much appreciated!

                                  1 Reply Last reply Reply Quote 0
                                  • arrmoA Offline
                                    arrmo @jimp
                                    last edited by

                                    @jimp Seems to be working - thanks so much! Will keep an eye on it, let you know if I come across any issues. Much appreciated!

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.