Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Remote syslog severity filtering

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 4 Posters 706 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      n3mmr
      last edited by

      I'd like to limit the log messages to send to my remote graylog server to only include certain severity levels, different for each log category.

      Can this be done in pfsense (on an sg3100) or do I have to filter on the input in Graylog?

      kiokomanK 1 Reply Last reply Reply Quote 0
      • kiokomanK
        kiokoman LAYER 8 @n3mmr
        last edited by

        @n3mmr
        maybe you can configure syslog-ng, it's an additional package

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          That would really be the only option in pfSense itself but I'm not sure you can. There is no real 'severity' value used so you'd have to filter by keyword. If that's possible, I've never tried.

          It's expected that you filter on the syslog server to only show whatever you need at that time.

          Steve

          N 1 Reply Last reply Reply Quote 0
          • N
            n3mmr @stephenw10
            last edited by

            @stephenw10

            Anything emanating from the FreeBSD log system has the standard severity levels attached, and can be seen in graylog 2.

            The pfsense logs should OF COURSE use the severity level both for deciding what to log at all, what to send to a syslog server and for deciding if smtp notification is appropriate.

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              Mmm, interesting I guess we just don't show that then. Learn something new everyday.

              It's not shown in the log files for individual messages so each file is assigned a severity? More research needed!

              Steve

              S 1 Reply Last reply Reply Quote 0
              • S
                Shawn321 @stephenw10
                last edited by

                @stephenw10
                Interesting indeed:
                pfSense can notify us: of expiring Certs, and after a reboot, but apparently not much more.
                Packages like arpwatch, nut, add notifications for ARP changes and UPS status.
                I just had a system with a failing disk send me an email about the reboot we performed, all the while it was logging fatal disk errors.
                Not only should pfSense be aware of syslog severity, we should be able to get notifications for crit, alert, emerg level entries so long as notification is still functioning.
                In response to above incident, I've been researching options:

                • remote syslog: every entry cleartext to an Internet host: nope
                • smartd: so close: smartmontools already installed, but cannot run the smartd daemon. (only covers disk errors)
                • zabbix-agent: package is not current. Zabbix svr on Internet: nope.

                Could probably accept the risk of cleartext remote syslog, if we could also filter Remote Syslog Contents by severity, in which case virtually nothing would be sent until there is a serious problem.

                May 2 14:40:07	kernel		(ada0:ahcich1:0:0:0): RES: 71 04 00 00 00 40 00 00 00 00 00
May 2 14:40:07	kernel		(ada0:ahcich1:0:0:0): ATA status: 71 (DRDY DF SERV ERR), error: 04 (ABRT )
May 2 14:40:07	kernel		(ada0:ahcich1:0:0:0): CAM status: ATA Status Error
May 2 14:40:07	kernel		(ada0:ahcich1:0:0:0): FLUSHCACHE48. ACB: ea 00 00 00 00 40 00 00 00 00 00 00
May 2 14:40:07	kernel		(ada0:ahcich1:0:0:0): Retrying command, 0 more tries remain
May 2 14:40:07	kernel		(ada0:ahcich1:0:0:0): RES: 71 04 00 00 00 40 00 00 00 00 00
May 2 14:40:07	kernel		(ada0:ahcich1:0:0:0): ATA status: 71 (DRDY DF SERV ERR), error: 04 (ABRT )
May 2 14:40:07	kernel		(ada0:ahcich1:0:0:0): CAM status: ATA Status Error
May 2 14:40:07	kernel		(ada0:ahcich1:0:0:0): FLUSHCACHE48. ACB: ea 00 00 00 00 40 00 00 00 00 00 00
May 2 14:40:07	kernel		(ada0:ahcich1:0:0:0): Error 5, Retries exhausted
                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.