@JonathanLee said in UNOFFICIAL GUIDE: Have Package Logs Record to a secondary SSD drive Snort Syslog Squid and or Squid cache system:

ln -s -F /nvme/LOGS_Optane/snort /var/log/snort

Also you can do this with suricata.

/var/log/suricata remove this mkdir /nvme/LOGS_Optane/suricata ln -s -F /nvme/LOGS_Optane/suricata /var/log/suricata

@keyser thank you that fixed it

I know what your thinking, Big deal, I got logs in pfSense,

But here the issue is, most often you will be running your AP in bridge mode and having pfSense hand out the DHCP addresses, and if your in bridge mode not much info on whats connecting to the NAS internally behind the firewall is ever seen on the firewall logs. This gives you a level of visibility not normally seen within pfSense unless it is configured. Again if you can do it with one AP you can do it with an alias for many APs on a bigger network. This gives you more information into possibile mac spoofing and unauthorized access. If you use remote access and Dynamic DNS for your network, you can see the firewall logs and the AP logs as well.

Depending on what interface your Cisco WAP is on, you may need to add the proper firewall rules on that interface in pfSense. The default rules for the LAN are usually "allow all in" on the interface, but other interfaces or VLANs you create would not have that same default. So you would need to explicitly allow the syslog-ng traffic.

I've never used the syslog-ng package on pfSense, but there may also be some security settings within the package that you need to adjust in order to allow remote devices (your Cisco WAP, for example) to log to the service.

@oleg-blecher said in syslog-ng not starting:

Undefined symbol "g_ptr_array_find_with_equal_func"

if you have that error after the update it means that everything was not successful

try from console

pkg install --force glib-2.56.3_7,1

or backup your config and do a clean install of 2.4.5 and restore

that error it's due to a mismatch between lib and syslog-ng