Interpreting the raw firewall log

chaycock

Is there a guide or information somewhere that explains how to interpret the raw firewall log entries that look like this:

9,16777216,,1000000103,em2,match,block,in,4,0x0,,128,6846,0,none,17,udp,63,192.168.20.100,192.168.20.1,57942,53,43

Thanks,
Carlton

Derelict

https://doc.pfsense.org/index.php/Filter_Log_Format_for_pfSense_2.2

chaycock

Thank you, I totally missed that page.

chaycock

I was looking around the Status->System Log->Firewall log and noticed that you can have the system format the message in a much easier to read format for display.
Is there a way to get that formatted message sent out via syslog instead of just the raw one?  I have syslog configured and I am getting messages, they are just in the raw format, it would be much easier to see what is going on when glancing at syslog if I could get the system to send the formatted message instead of the raw one.

chaycock

I have another question regarding some of the fields.  So here is the start of a partial log entry:

71,16777216,,1000002665,em1

According to the documentation page, the fields would be as follows:

Rule Number=71
Sub rule number=16777216
Anchor=
Tracker=1000002665
Real interface=em1

So when looking at the firewalls in the GUI, how do I determine the rule number so I can correlate it to the log?
Also, what exactly is a 'sub rule' and why is the number so large?

Thanks,
Carlton

Derelict

Click on the icon at the left (usually a block) to get the tag.

doktornotor

@chaycock:

I was looking around the Status->System Log->Firewall log and noticed that you can have the system format the message in a much easier to read format for display.

I filed a bug finally. Since, this is an issue ~95% of threads here where firewall logs are required for debugging issues. https://redmine.pfsense.org/issues/7323

chaycock

Right, I agree, however, what I am asking is if there is a way to have this nicely formatted view sent via syslog instead of the raw view that currently gets sent.  I'm not really using the GUI to look at the logs, I use syslog, so I am interested in what is showing up there.

jimp

@chaycock:

Right, I agree, however, what I am asking is if there is a way to have this nicely formatted view sent via syslog instead of the raw view that currently gets sent.  I'm not really using the GUI to look at the logs, I use syslog, so I am interested in what is showing up there.

There isn't any way to have it send the formatted output via syslog. The raw output is what goes in syslog and then the GUI parses that into something more readable.

You might be able to lift the parsing code and adapt it for whatever you're using to view the logs on your syslog server.

@doktornotor:

I filed a bug finally. Since, this is an issue ~95% of threads here where firewall logs are required for debugging issues. https://redmine.pfsense.org/issues/7323

Since the hardware that was holding us back on that won't be supported on 2.4 (I'm looking at you, ALIX…) that can definitely be revisited. I'll have to see how it does on SG-1000 but it's likely acceptable there. I had initially insisted that option default to off because it was horribly slow on ALIX at the time it was introduced.

chaycock

There isn't any way to have it send the formatted output via syslog. The raw output is what goes in syslog and then the GUI parses that into something more readable.

I was afraid of that, but thanks for letting me know.