Question about log-format graylog/pfsense?
I'm trying to send log-messages from pfsense to a remote graylog server, which as of yet isn't entirely successful. All messages ends up having "filterlog" as source - which would be fine if it only was one firewall that was sending log messages to our graylog server, but with multiple firewalls logging to the same graylog server sorting and searching becomes a little bit difficult.
According to https://doc.pfsense.org/index.php/Filter_Log_Format_for_pfSense_2.2 the format should be:
<timestamp><hostname>filterlog: <csv data="">But as far as I can see when I take a closer look at the message going over the wire the hostaname part seems to be missing.
Is there anyway that the filterlog/syslog can be convinced to insert the hostname of the sending host into a message before it is delivered to a remote log-server?</csv></hostname></timestamp>
The quoted format is for the local log, not remote logs.
Syslog always assumes the hostname from the source IP address or hostname, NOT from the log message data itself.
Your server should be classifying the sources by their IP address/hostname in some way, it shouldn't care about the message content identifying itself.
"filterlog" is the name of the daemon that made the log message.