Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Remote syslog not working

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 2 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H Offline
      Heisenberg1977
      last edited by

      I'm banging my head against the wall trying to setup remote syslog, sending to my "Security Onion" VM.

      On the SO VM syslog-ng is listening on port 514

      heisenberg@SO:/var$ sudo netstat -lnptu | grep syslog
      tcp        0      0 0.0.0.0:514            0.0.0.0:*              LISTEN      32649/syslog-ng
      udp        0      0 0.0.0.0:514            0.0.0.0:*

      I allowed both UDP/TCP for troubleshooting purposes. From another machine on the same subnet I am able to perform a successful telnet test, but from using the "test port" feature of pfSense it reports back "Connection Failed".

      My SO VM is running in Virtualbox on a Linux MINT host using a bridged connection on a dedicated NIC.

      Has anybody had any luck setting up a similar configuration?

      1 Reply Last reply Reply Quote 0
      • BBcan177B Offline
        BBcan177 Moderator
        last edited by

        For SO did you open up the port etc in UFW?

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • H Offline
          Heisenberg1977
          last edited by

          Yes, I actually opened both TCP and UDP from anywhere for troubleshooting purposes

          Status: active

          To                        Action      From
          –                        ------      ----
          22/tcp                    ALLOW      Anywhere
          514/udp                    ALLOW      Anywhere
          514/tcp                    ALLOW      Anywhere
          22/tcp (v6)                ALLOW      Anywhere (v6)
          514/udp (v6)              ALLOW      Anywhere (v6)
          514/tcp (v6)              ALLOW      Anywhere (v6)

          1 Reply Last reply Reply Quote 0
          • H Offline
            Heisenberg1977
            last edited by

            The strange thing is that I don't believe the data is reaching Security Onion. I can telnet to 514 from another box on my LAN while running tcpdump on SO's eth0 interface and see activity. Performing a "Test Port" or ping from pfSense fails. All machines are on the same LAN. Seriously frustrating!

            1 Reply Last reply Reply Quote 0
            • H Offline
              Heisenberg1977
              last edited by

              I'm starting to think the problem is with Virtualbox. A simple ping test from pfSense works successfully to the physical hosts on my network. But pinging the IP assigned to the SO guest fails. I just started running Virtualbox on a Linux host recently so I'm not sure if there is something that I need to configure on a bridged connection to allow incoming traffic.

              1 Reply Last reply Reply Quote 0
              • H Offline
                Heisenberg1977
                last edited by

                I started cycling through different adapter names while the SO VM remained running (eno1, enp1s0) and my tcpdump is now detecting activity on Port 514.

                I started ELSA and checked various locations. The only activity that I see is on the loopback address (127.0.0.1) How do I see syslog in ELSA?

                1 Reply Last reply Reply Quote 0
                • BBcan177B Offline
                  BBcan177 Moderator
                  last edited by

                  Are you using the latest SO release. I assume that it has the pfSense log parser code for the applicable pfSense version you are using. I would submit a question in their forum.

                  https://groups.google.com/forum/#!forum/security-onion

                  "Experience is something you don't get until just after you need it."

                  Website: http://pfBlockerNG.com
                  Twitter: @BBcan177  #pfBlockerNG
                  Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                  1 Reply Last reply Reply Quote 0
                  • H Offline
                    Heisenberg1977
                    last edited by

                    I am running the latest versions of both SO (v.14.04.5.2) & pfSense (v.2.3.3).
                    @BBCAN177 did you have to change settings in any config file or should ELSA be able to automatically detect the source?]

                    I posed a question in the SO forums. Pending response.

                    Thx

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.