Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    System Logs Format (rsyslog)

    Scheduled Pinned Locked Moved General pfSense Questions
    17 Posts 4 Posters 2.5k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S Offline
      stephenw10 Netgate Administrator
      last edited by

      Indeed it doesn't. I was suggesting exporting it to something else and converting there before sending it to the log analyser.

      I've never tried that myself.

      Steve

      1 Reply Last reply Reply Quote 0
      • arrmoA Offline
        arrmo
        last edited by

        Ahh, OK - NP. Thanks for the idea! Will dig more.

        To be honest, if I go to v2.5 of pfSense the issue goes away (i.e. RFC5424 support is there, directly in syslog). Just not sure how stable v2.5 is.

        Thanks again.

        stephenw10S 1 Reply Last reply Reply Quote 0
        • stephenw10S Offline
          stephenw10 Netgate Administrator @arrmo
          last edited by

          It's quite stable on x86-64. I've been running it for months on numerous boxes with no issues. Is is still in dev though so the normal precautions apply etc... 😉

          Steve

          1 Reply Last reply Reply Quote 1
          • arrmoA Offline
            arrmo
            last edited by

            No worries, understand the caveats, legal-ize, etc. ... LOL.

            Thanks! I may go this way - then of course need to see if I can tweak the output format (i.e. need to modify the syslogd options a bit, to output the needed format).

            Thanks again.

            1 Reply Last reply Reply Quote 0
            • arrmoA Offline
              arrmo
              last edited by

              OK, shifted to v2.5, seem to have the new and improved version of syslogd ... :-). Meaning, the -O format option exists. Perfect!

              Now, how to modify the execution script to have this added to the command? I just need to find that.

              1 Reply Last reply Reply Quote 0
              • arrmoA Offline
                arrmo
                last edited by

                Checked the output, working great now - thanks for all the help!

                Need to figure out the next step - would be nice to have this as a (GUI) option ... it's pretty simple. Just need to figure out how / where to suggest it.

                Thanks again.

                1 Reply Last reply Reply Quote 0
                • kiokomanK Offline
                  kiokoman LAYER 8
                  last edited by

                  i still see syslogd on my 2.5.0
                  you can place additional configuration files in /var/etc/syslog.d
                  best place to ask for new features is https://redmine.pfsense.org/

                  ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                  Please do not use chat/PM to ask for help
                  we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                  Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S Offline
                    stephenw10 Netgate Administrator
                    last edited by

                    Yup or pull-requests directly in github: https://github.com/pfsense

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • jimpJ Offline
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      I made an issue for it here: https://redmine.pfsense.org/issues/9808

                      Should be simple enough to code, I'll get to it before long, assuming someone doesn't send in a PR first.

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 2
                      • arrmoA Offline
                        arrmo
                        last edited by

                        Thanks! I was going to do that - just hadn't had a chance to yet.

                        1 Reply Last reply Reply Quote 0
                        • kiokomanK Offline
                          kiokoman LAYER 8
                          last edited by kiokoman

                          yes ... it was easy to add the gui fuction

                          Immagine.jpg

                          the problem is that if i set rfc5424
                          remote syslog still work

                          [2.5.0-DEVELOPMENT][root@pfSense.localdomain]/usr/local/www: ps aux | grep syslogd
                          root  76833   0.0  0.1  11376   2836  -  Ss   23:18       0:00.03 /usr/sbin/syslogd -s -c -c -l /var/dhcpd/var/run/log -P /var/run/syslog.pid -f /etc/syslog.conf -O rfc5424
                          root  62262   0.0  0.1  11144   2636  0  S+   23:19       0:00.00 grep syslogd
                          [2.5.0-DEVELOPMENT][root@pfSense.localdomain]/usr/local/www: ps aux | grep syslogd
                          root  74853   0.0  0.1  11376   2836  -  Ss   23:20       0:00.07 /usr/sbin/syslogd -s -c -c -l /var/dhcpd/var/run/log -P /var/run/syslog.pid -f /etc/syslog.conf -O rfc3164
                          root   3527   0.0  0.1  11144   2636  0  S+   23:30       0:00.00 grep syslogd
                          

                          this are just example
                          on my rsyslog server, there is only the hostname instead of the ip, it is able to filter the incoming log

                          Oct  3 23:19:39 pfSense.localdomain radvd[28029] resuming normal operation
                          Oct  3 23:19:55 pfSense.localdomain radvd[28029] IPv6 forwarding on interface seems to be disabled, but continuing anyway
                          Oct  3 23:19:55 pfSense.localdomain radvd[28029] message repeated 2 times: [IPv6 forwarding on interface seems to be disabled, but continuing anyway]
                          Oct  3 23:20:09 172.17.0.254 radvd[28029]: attempting to reread config file
                          Oct  3 23:20:09 172.17.0.254 radvd[28029]: IPv6 forwarding on interface seems to be disabled, but continuing anyway
                          Oct  3 23:20:09 172.17.0.254 radvd[28029]: message repeated 5 times: [ IPv6 forwarding on interface seems to be disabled, but continuing anyway]
                          

                          anyway this is what is written inside pfsense

                          <190>1 2019-10-03T23:19:39.586931+02:00 pfSense.localdomain dhcpd 57488 - - Listening on Socket/6/ix0/2001:470:26:5dc::/64
                          <190>1 2019-10-03T23:19:39.586942+02:00 pfSense.localdomain dhcpd 57488 - - Sending on   Socket/6/ix0/2001:470:26:5dc::/64
                          <190>1 2019-10-03T23:19:39.586942+02:00 pfSense.localdomain dhcpd 57488 - - Sending on   Socket/6/ix0/2001:470:26:5dc::/64
                          <190>1 2019-10-03T23:19:39.587172+02:00 pfSense.localdomain dhcpd 57488 - - Server starting service.
                          <190>1 2019-10-03T23:19:39.587172+02:00 pfSense.localdomain dhcpd 57488 - - Server starting service.
                          Oct  3 23:20:08 pfSense dhcpd[85579]: Internet Systems Consortium DHCP Server 4.4.1
                          Oct  3 23:20:08 pfSense dhcpd[85579]: Internet Systems Consortium DHCP Server 4.4.1
                          Oct  3 23:20:08 pfSense dhcpd[85579]: Copyright 2004-2018 Internet Systems Consortium.
                          Oct  3 23:20:08 pfSense dhcpd[85579]: Copyright 2004-2018 Internet Systems Consortium.
                          Oct  3 23:20:08 pfSense dhcpd[85579]: All rights reserved.
                          Oct  3 23:20:08 pfSense dhcpd[85579]: All rights reserved.
                          

                          but from the gui i'm unable to see any log (i see only rfc3164) , i think that log filters also need to be adjusted based on rfc selected. and ... well ... that it's not easy for me 😂

                          ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                          Please do not use chat/PM to ask for help
                          we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                          Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                          1 Reply Last reply Reply Quote 0
                          • jimpJ Offline
                            jimp Rebel Alliance Developer Netgate
                            last edited by

                            Finally had time to pivot back to this one. I pushed a fix that seems to do a decent job of parsing dynamically, even when the logs contain a mix of entries in different formats.

                            It should show up in snapshots soon.

                            https://redmine.pfsense.org/issues/9808
                            https://github.com/pfsense/pfsense/commit/b16c3a12c61c117e9c8140b115efc7f9acea96c5

                            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            arrmoA 2 Replies Last reply Reply Quote 4
                            • arrmoA Offline
                              arrmo @jimp
                              last edited by

                              @jimp Awesome, thanks! Will give it a try once it's in a snapshot. Much appreciated!

                              1 Reply Last reply Reply Quote 0
                              • arrmoA Offline
                                arrmo @jimp
                                last edited by

                                @jimp Seems to be working - thanks so much! Will keep an eye on it, let you know if I come across any issues. Much appreciated!

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.