Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    System Logs Format (rsyslog)

    Scheduled Pinned Locked Moved General pfSense Questions
    17 Posts 4 Posters 2.5k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • arrmoA Offline
      arrmo
      last edited by

      Ahh, OK - NP. Thanks for the idea! Will dig more.

      To be honest, if I go to v2.5 of pfSense the issue goes away (i.e. RFC5424 support is there, directly in syslog). Just not sure how stable v2.5 is.

      Thanks again.

      stephenw10S 1 Reply Last reply Reply Quote 0
      • stephenw10S Offline
        stephenw10 Netgate Administrator @arrmo
        last edited by

        It's quite stable on x86-64. I've been running it for months on numerous boxes with no issues. Is is still in dev though so the normal precautions apply etc... 😉

        Steve

        1 Reply Last reply Reply Quote 1
        • arrmoA Offline
          arrmo
          last edited by

          No worries, understand the caveats, legal-ize, etc. ... LOL.

          Thanks! I may go this way - then of course need to see if I can tweak the output format (i.e. need to modify the syslogd options a bit, to output the needed format).

          Thanks again.

          1 Reply Last reply Reply Quote 0
          • arrmoA Offline
            arrmo
            last edited by

            OK, shifted to v2.5, seem to have the new and improved version of syslogd ... :-). Meaning, the -O format option exists. Perfect!

            Now, how to modify the execution script to have this added to the command? I just need to find that.

            1 Reply Last reply Reply Quote 0
            • arrmoA Offline
              arrmo
              last edited by

              Checked the output, working great now - thanks for all the help!

              Need to figure out the next step - would be nice to have this as a (GUI) option ... it's pretty simple. Just need to figure out how / where to suggest it.

              Thanks again.

              1 Reply Last reply Reply Quote 0
              • kiokomanK Offline
                kiokoman LAYER 8
                last edited by

                i still see syslogd on my 2.5.0
                you can place additional configuration files in /var/etc/syslog.d
                best place to ask for new features is https://redmine.pfsense.org/

                ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                Please do not use chat/PM to ask for help
                we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                1 Reply Last reply Reply Quote 0
                • stephenw10S Offline
                  stephenw10 Netgate Administrator
                  last edited by

                  Yup or pull-requests directly in github: https://github.com/pfsense

                  Steve

                  1 Reply Last reply Reply Quote 0
                  • jimpJ Offline
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    I made an issue for it here: https://redmine.pfsense.org/issues/9808

                    Should be simple enough to code, I'll get to it before long, assuming someone doesn't send in a PR first.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 2
                    • arrmoA Offline
                      arrmo
                      last edited by

                      Thanks! I was going to do that - just hadn't had a chance to yet.

                      1 Reply Last reply Reply Quote 0
                      • kiokomanK Offline
                        kiokoman LAYER 8
                        last edited by kiokoman

                        yes ... it was easy to add the gui fuction

                        Immagine.jpg

                        the problem is that if i set rfc5424
                        remote syslog still work

                        [2.5.0-DEVELOPMENT][root@pfSense.localdomain]/usr/local/www: ps aux | grep syslogd
                        root  76833   0.0  0.1  11376   2836  -  Ss   23:18       0:00.03 /usr/sbin/syslogd -s -c -c -l /var/dhcpd/var/run/log -P /var/run/syslog.pid -f /etc/syslog.conf -O rfc5424
                        root  62262   0.0  0.1  11144   2636  0  S+   23:19       0:00.00 grep syslogd
                        [2.5.0-DEVELOPMENT][root@pfSense.localdomain]/usr/local/www: ps aux | grep syslogd
                        root  74853   0.0  0.1  11376   2836  -  Ss   23:20       0:00.07 /usr/sbin/syslogd -s -c -c -l /var/dhcpd/var/run/log -P /var/run/syslog.pid -f /etc/syslog.conf -O rfc3164
                        root   3527   0.0  0.1  11144   2636  0  S+   23:30       0:00.00 grep syslogd
                        

                        this are just example
                        on my rsyslog server, there is only the hostname instead of the ip, it is able to filter the incoming log

                        Oct  3 23:19:39 pfSense.localdomain radvd[28029] resuming normal operation
                        Oct  3 23:19:55 pfSense.localdomain radvd[28029] IPv6 forwarding on interface seems to be disabled, but continuing anyway
                        Oct  3 23:19:55 pfSense.localdomain radvd[28029] message repeated 2 times: [IPv6 forwarding on interface seems to be disabled, but continuing anyway]
                        Oct  3 23:20:09 172.17.0.254 radvd[28029]: attempting to reread config file
                        Oct  3 23:20:09 172.17.0.254 radvd[28029]: IPv6 forwarding on interface seems to be disabled, but continuing anyway
                        Oct  3 23:20:09 172.17.0.254 radvd[28029]: message repeated 5 times: [ IPv6 forwarding on interface seems to be disabled, but continuing anyway]
                        

                        anyway this is what is written inside pfsense

                        <190>1 2019-10-03T23:19:39.586931+02:00 pfSense.localdomain dhcpd 57488 - - Listening on Socket/6/ix0/2001:470:26:5dc::/64
                        <190>1 2019-10-03T23:19:39.586942+02:00 pfSense.localdomain dhcpd 57488 - - Sending on   Socket/6/ix0/2001:470:26:5dc::/64
                        <190>1 2019-10-03T23:19:39.586942+02:00 pfSense.localdomain dhcpd 57488 - - Sending on   Socket/6/ix0/2001:470:26:5dc::/64
                        <190>1 2019-10-03T23:19:39.587172+02:00 pfSense.localdomain dhcpd 57488 - - Server starting service.
                        <190>1 2019-10-03T23:19:39.587172+02:00 pfSense.localdomain dhcpd 57488 - - Server starting service.
                        Oct  3 23:20:08 pfSense dhcpd[85579]: Internet Systems Consortium DHCP Server 4.4.1
                        Oct  3 23:20:08 pfSense dhcpd[85579]: Internet Systems Consortium DHCP Server 4.4.1
                        Oct  3 23:20:08 pfSense dhcpd[85579]: Copyright 2004-2018 Internet Systems Consortium.
                        Oct  3 23:20:08 pfSense dhcpd[85579]: Copyright 2004-2018 Internet Systems Consortium.
                        Oct  3 23:20:08 pfSense dhcpd[85579]: All rights reserved.
                        Oct  3 23:20:08 pfSense dhcpd[85579]: All rights reserved.
                        

                        but from the gui i'm unable to see any log (i see only rfc3164) , i think that log filters also need to be adjusted based on rfc selected. and ... well ... that it's not easy for me 😂

                        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                        Please do not use chat/PM to ask for help
                        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                        1 Reply Last reply Reply Quote 0
                        • jimpJ Offline
                          jimp Rebel Alliance Developer Netgate
                          last edited by

                          Finally had time to pivot back to this one. I pushed a fix that seems to do a decent job of parsing dynamically, even when the logs contain a mix of entries in different formats.

                          It should show up in snapshots soon.

                          https://redmine.pfsense.org/issues/9808
                          https://github.com/pfsense/pfsense/commit/b16c3a12c61c117e9c8140b115efc7f9acea96c5

                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          arrmoA 2 Replies Last reply Reply Quote 4
                          • arrmoA Offline
                            arrmo @jimp
                            last edited by

                            @jimp Awesome, thanks! Will give it a try once it's in a snapshot. Much appreciated!

                            1 Reply Last reply Reply Quote 0
                            • arrmoA Offline
                              arrmo @jimp
                              last edited by

                              @jimp Seems to be working - thanks so much! Will keep an eye on it, let you know if I come across any issues. Much appreciated!

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.