Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [HOWTO] pfSense logs to remote syslog server respecting RFC5424

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 5 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      koma
      last edited by

      Hello there.
      as stated in some post in this forum (for example: https://forum.pfsense.org/index.php?topic=12143.msg66217;topicseen#msg66217 ) the syslogD is not respecting the RFC5424 standard.
      So exporting the pfsense syslog directly to another server could be messy (normally you will filter the log by sourceIP but behind a loadbalancer this could be a problem).

      The quick and dirty solution:

      1. Install syslog-ng from packages
      2. configure syslog-ng to be listening on the DMZ/LAN interface on the port you like most (5140 by default is fine for me).
      3. Set the Remote syslog server #1 (from "Status: System logs: Settings") to point to the DMZ/LAN address (for me is 192.168.0.1:5140)
      4. Go to back to Services: Syslog-ng Advanced and add a new item as in the attachment.

        Obviously susbstitute the "my-remote-syslog-server" and port with what you actually need
        ![Schermata 2015-08-14 alle 11.59.49.png](/public/imported_attachments/1/Schermata 2015-08-14 alle 11.59.49.png)
        ![Schermata 2015-08-14 alle 11.59.49.png_thumb](/public/imported_attachments/1/Schermata 2015-08-14 alle 11.59.49.png_thumb)
      1 Reply Last reply Reply Quote 0
      • F
        firewalluser
        last edited by

        rsyslog is a better bet, besides having all eggs in one basket is risky especially if your fw gets pwnd, so somethings like syslogs are best set to an individual syslog server.

        Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

        Asch Conformity, mainly the blind leading the blind.

        1 Reply Last reply Reply Quote 0
        • A
          andrsharov
          last edited by

          Hello !

          Can you re-upload the setting? It is desirable in text form, as attachments no longer download

          Thanks!

          F 1 Reply Last reply Reply Quote 0
          • F
            flu @andrsharov
            last edited by

            @andrsharov
            I found that simply installing the syslog-ng package 1.15_3 on pfsense 2.4.4 changed the message format. I did not configure anything in syslog-ng, I did not even enable syslog-ng.
            Before installation of syslog-ng my input in Graylog did not recognize any messages from pfsense. After the installation they get recognized.

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              That option is in 2.5 already:
              https://redmine.pfsense.org/issues/9808

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.