Setup remote syslog: Can't receive anylog from pfSense

tienpro113396

Hi, as the topic
My environment:

• pfSense 2.4.5 - 192.168.1.23
• rSyslog Server : CentOS 7.5 - 192.168.1.17

rsyslog.conf:

$ModLoad imudp
$UDPServerRun 514
$template RemoteServer, "/var/log/%fromhost-ip%/%SYSLOGFACILITY-TEXT%.log"
*.* ?RemoteServer
& ~

ss -tulnp | grep "rsyslog"
udp    UNCONN     0      0         *:514                   *:*                   users:(("rsyslogd",pid=28634,fd=3))
udp    UNCONN     0      0      [::]:514                [::]:*                   users:(("rsyslogd",pid=28634,fd=4))

Config on pfSense

If you know any solution to check & resolve that issue please share with me
Thanks & Regards

Gertjan

Hi,

I just tried it.
I have an old Debian 8.11 server.
I found

# $ModLoad imudp
# $UDPServerRun 514

in the /etc/rsyslog.conf file, I removed the "# " and restarted rsyslogd.

Added the IP 188.165.2x1.1x3 of my Debian server to the list of remote servers for pfSense 2.4.5 :

192.168.1.4 is a Windows 2018 server running the Kiwi remote logger for pfSense, locally on LAN.

That's all I did.

I tested on pfSense

[2.4.5-RELEASE][admin@pfsense.my-local-domainl.net]/root: logger test

This is what I saw on the Debian remote rsyslog server ( tail -f /var/log/messages ) :

May 22 08:38:57 lmontsouris-659-1-108-244.w32-117.abo.wanadoo.fr admin: test

and more log lines added up quickly.

Btw : this was the fast and thus dirty test : my server is now open to receive log from entire planet earth ^^

tienpro113396

Hi, I dont see you specific port on pfsense config. Is it possible?

Gertjan

@tienpro113396 said in Setup remote syslog: Can't receive anylog from pfSense:

Is it possible?

The port - as shown between brackets [] - has the default 514 value.

tienpro113396

I check the /var/log folder but nothin here

Gertjan

ls ?

That shows file names, hiding all the other extreme useful details.
I would use 'll' (which is my alias to ls -al)
Even better would be "ls -alt" which puts the last modified file on top.

Or, as I did, tail the "messages".
admins spend half their lives tailing files (no joke here).

To be honest : I did not even look or check where rsyslogd would place logs coming from "outside" syslog clients ...
Maybe a default log file doesn't exist on your OS/install, and it would have to be set up by you first.

Anyway.
All depends how the rsyslog process is set up.
Info can be found in /etc/rsyslog.conf.
Probably in /etc/default/rsyslogd
Probably in /etc/rsyslog.d/

Note also that my Debian is 'old' (version 8.11) and that more recent packages of rsyslogd could exist (Debian is known as conservative).

It's a matter over reading the 'man' pages I guess.

tienpro113396

I use Centos 7
And my config here

$template RemoteServer, "/var/log/%fromhost-ip%/%SYSLOGFACILITY-TEXT%.log"
*.* ?RemoteServer
& ~

will create a dir with IP. after config and restart service I don't see any dir named 192.168.1.23

Gertjan

Before adding nifty stuff, first, get the basics working.

kiokoman

my rsyslog.conf under ubuntu rsyslogd 8.32.0

# provides UDP syslog reception
module(load="imudp" timeRequery="8" batchSize="128" threads="2") # needs to be done just once
input(type="imudp" port="514")

if $programname == 'dhcpd' then /var/log/pfsense-dhcpd.log
& stop

cat /var/log/pfsense-dhcpd.log
May 20 19:29:37 172.16.0.254 dhcpd: Internet Systems Consortium DHCP Server 4.4.1
May 20 19:29:37 172.16.0.254 dhcpd: Copyright 2004-2018 Internet Systems Consortium.
May 20 19:29:37 172.16.0.254 dhcpd: All rights reserved.
May 20 19:29:37 172.16.0.254 dhcpd: For info, please visit https://www.isc.org/software/dhcp/
May 20 19:29:37 172.16.0.254 dhcpd: Config file: /etc/dhcpdv6.conf
May 20 19:29:37 172.16.0.254 dhcpd: Database file: /var/db/dhcpd6.leases
May 20 19:29:37 172.16.0.254 dhcpd: PID file: /var/run/dhcpdv6.pid

you also need to check centos firewall/selinux