Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    System Logs Format (rsyslog)

    Scheduled Pinned Locked Moved General pfSense Questions
    17 Posts 4 Posters 2.5k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • arrmoA Offline
      arrmo
      last edited by

      That makes sense. I did a bit of digging, and in BSD v12 syslog does support the official (RFC 5424 format). But not in v11.x.

      Not sure I understand your rsyslog comment - can you clarify? rsyslog doesn't exist on pfSense, does it?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • stephenw10S Offline
        stephenw10 Netgate Administrator
        last edited by

        Indeed it doesn't. I was suggesting exporting it to something else and converting there before sending it to the log analyser.

        I've never tried that myself.

        Steve

        1 Reply Last reply Reply Quote 0
        • arrmoA Offline
          arrmo
          last edited by

          Ahh, OK - NP. Thanks for the idea! Will dig more.

          To be honest, if I go to v2.5 of pfSense the issue goes away (i.e. RFC5424 support is there, directly in syslog). Just not sure how stable v2.5 is.

          Thanks again.

          stephenw10S 1 Reply Last reply Reply Quote 0
          • stephenw10S Offline
            stephenw10 Netgate Administrator @arrmo
            last edited by

            It's quite stable on x86-64. I've been running it for months on numerous boxes with no issues. Is is still in dev though so the normal precautions apply etc... 😉

            Steve

            1 Reply Last reply Reply Quote 1
            • arrmoA Offline
              arrmo
              last edited by

              No worries, understand the caveats, legal-ize, etc. ... LOL.

              Thanks! I may go this way - then of course need to see if I can tweak the output format (i.e. need to modify the syslogd options a bit, to output the needed format).

              Thanks again.

              1 Reply Last reply Reply Quote 0
              • arrmoA Offline
                arrmo
                last edited by

                OK, shifted to v2.5, seem to have the new and improved version of syslogd ... :-). Meaning, the -O format option exists. Perfect!

                Now, how to modify the execution script to have this added to the command? I just need to find that.

                1 Reply Last reply Reply Quote 0
                • arrmoA Offline
                  arrmo
                  last edited by

                  Checked the output, working great now - thanks for all the help!

                  Need to figure out the next step - would be nice to have this as a (GUI) option ... it's pretty simple. Just need to figure out how / where to suggest it.

                  Thanks again.

                  1 Reply Last reply Reply Quote 0
                  • kiokomanK Offline
                    kiokoman LAYER 8
                    last edited by

                    i still see syslogd on my 2.5.0
                    you can place additional configuration files in /var/etc/syslog.d
                    best place to ask for new features is https://redmine.pfsense.org/

                    ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                    Please do not use chat/PM to ask for help
                    we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                    Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S Offline
                      stephenw10 Netgate Administrator
                      last edited by

                      Yup or pull-requests directly in github: https://github.com/pfsense

                      Steve

                      1 Reply Last reply Reply Quote 0
                      • jimpJ Offline
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        I made an issue for it here: https://redmine.pfsense.org/issues/9808

                        Should be simple enough to code, I'll get to it before long, assuming someone doesn't send in a PR first.

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 2
                        • arrmoA Offline
                          arrmo
                          last edited by

                          Thanks! I was going to do that - just hadn't had a chance to yet.

                          1 Reply Last reply Reply Quote 0
                          • kiokomanK Offline
                            kiokoman LAYER 8
                            last edited by kiokoman

                            yes ... it was easy to add the gui fuction

                            Immagine.jpg

                            the problem is that if i set rfc5424
                            remote syslog still work

                            [2.5.0-DEVELOPMENT][root@pfSense.localdomain]/usr/local/www: ps aux | grep syslogd
                            root  76833   0.0  0.1  11376   2836  -  Ss   23:18       0:00.03 /usr/sbin/syslogd -s -c -c -l /var/dhcpd/var/run/log -P /var/run/syslog.pid -f /etc/syslog.conf -O rfc5424
                            root  62262   0.0  0.1  11144   2636  0  S+   23:19       0:00.00 grep syslogd
                            [2.5.0-DEVELOPMENT][root@pfSense.localdomain]/usr/local/www: ps aux | grep syslogd
                            root  74853   0.0  0.1  11376   2836  -  Ss   23:20       0:00.07 /usr/sbin/syslogd -s -c -c -l /var/dhcpd/var/run/log -P /var/run/syslog.pid -f /etc/syslog.conf -O rfc3164
                            root   3527   0.0  0.1  11144   2636  0  S+   23:30       0:00.00 grep syslogd
                            

                            this are just example
                            on my rsyslog server, there is only the hostname instead of the ip, it is able to filter the incoming log

                            Oct  3 23:19:39 pfSense.localdomain radvd[28029] resuming normal operation
                            Oct  3 23:19:55 pfSense.localdomain radvd[28029] IPv6 forwarding on interface seems to be disabled, but continuing anyway
                            Oct  3 23:19:55 pfSense.localdomain radvd[28029] message repeated 2 times: [IPv6 forwarding on interface seems to be disabled, but continuing anyway]
                            Oct  3 23:20:09 172.17.0.254 radvd[28029]: attempting to reread config file
                            Oct  3 23:20:09 172.17.0.254 radvd[28029]: IPv6 forwarding on interface seems to be disabled, but continuing anyway
                            Oct  3 23:20:09 172.17.0.254 radvd[28029]: message repeated 5 times: [ IPv6 forwarding on interface seems to be disabled, but continuing anyway]
                            

                            anyway this is what is written inside pfsense

                            <190>1 2019-10-03T23:19:39.586931+02:00 pfSense.localdomain dhcpd 57488 - - Listening on Socket/6/ix0/2001:470:26:5dc::/64
                            <190>1 2019-10-03T23:19:39.586942+02:00 pfSense.localdomain dhcpd 57488 - - Sending on   Socket/6/ix0/2001:470:26:5dc::/64
                            <190>1 2019-10-03T23:19:39.586942+02:00 pfSense.localdomain dhcpd 57488 - - Sending on   Socket/6/ix0/2001:470:26:5dc::/64
                            <190>1 2019-10-03T23:19:39.587172+02:00 pfSense.localdomain dhcpd 57488 - - Server starting service.
                            <190>1 2019-10-03T23:19:39.587172+02:00 pfSense.localdomain dhcpd 57488 - - Server starting service.
                            Oct  3 23:20:08 pfSense dhcpd[85579]: Internet Systems Consortium DHCP Server 4.4.1
                            Oct  3 23:20:08 pfSense dhcpd[85579]: Internet Systems Consortium DHCP Server 4.4.1
                            Oct  3 23:20:08 pfSense dhcpd[85579]: Copyright 2004-2018 Internet Systems Consortium.
                            Oct  3 23:20:08 pfSense dhcpd[85579]: Copyright 2004-2018 Internet Systems Consortium.
                            Oct  3 23:20:08 pfSense dhcpd[85579]: All rights reserved.
                            Oct  3 23:20:08 pfSense dhcpd[85579]: All rights reserved.
                            

                            but from the gui i'm unable to see any log (i see only rfc3164) , i think that log filters also need to be adjusted based on rfc selected. and ... well ... that it's not easy for me 😂

                            ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                            Please do not use chat/PM to ask for help
                            we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                            Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                            1 Reply Last reply Reply Quote 0
                            • jimpJ Offline
                              jimp Rebel Alliance Developer Netgate
                              last edited by

                              Finally had time to pivot back to this one. I pushed a fix that seems to do a decent job of parsing dynamically, even when the logs contain a mix of entries in different formats.

                              It should show up in snapshots soon.

                              https://redmine.pfsense.org/issues/9808
                              https://github.com/pfsense/pfsense/commit/b16c3a12c61c117e9c8140b115efc7f9acea96c5

                              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              arrmoA 2 Replies Last reply Reply Quote 4
                              • arrmoA Offline
                                arrmo @jimp
                                last edited by

                                @jimp Awesome, thanks! Will give it a try once it's in a snapshot. Much appreciated!

                                1 Reply Last reply Reply Quote 0
                                • arrmoA Offline
                                  arrmo @jimp
                                  last edited by

                                  @jimp Seems to be working - thanks so much! Will keep an eye on it, let you know if I come across any issues. Much appreciated!

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.