Disable 514 for internal syslog server



  • Hi! I've discovered that my pfsense install has udp/514 open on it by the internal/included syslog server. If I try to make syslog-ng use udp/514 it doesn't work because that port's already in use. I've searched around and couldn't find any way to disable udp/514 on the included default syslog server.

    Is there a way to make syslog-ng listen on udp/514? Is disabling udp/514 on the internal syslog server a bad idea?



  • @qwerty123 said in Disable 514 for internal syslog server:

    my pfsense install has udp/514 open on it by the internal/included syslog serve

    Open on it ? What ?

    I'm remote logging to a device on my LAN like 192.168.1.6 and have this :
    0_1546966558261_f57d0d46-feb1-4b63-97cf-92b92dfe279f-image.png
    ( 192.168.1.0/24 is my LAN)

    So it looks to me that the build in syslog is actually listing on 192.168.1.1:514 UDP.
    Or, it should just send out UDP (only) packets.

    Try activating the remote syslog to some non existing device, and use another interface.

    @qwerty123 said in Disable 514 for internal syslog server:

    Is there a way to make syslog-ng listen on udp/514?

    Well, probably not.
    Why installing syslog-ng ? You want to turn pfSense in a centralized networked syslog server ?



  • I attempted to change the remote send to IP and port and it didn't make a difference.

    [2.4.4-RELEASE][admin@firewall.foo.foo]/root: sockstat -4 -l | grep -i 514
    root     syslogd    45077 9  udp4   *:514                 *:*
    root     syslog-ng  47829 20 udp4   10.0.110.1:5140       *:*
    [2.4.4-RELEASE][admin@firewall.foo.foo]/root: 
    
    

    I wanted to install syslog-ng because I have one small device that I want to send syslogs to something and didn't feel like installing syslog on yet another box...when I could just install it onto pfsense. My pfsense box is beefy enough to handle syslog traffic.



  • 514 UDP is just the default port.
    Using 5140 UDP for syslog-ng - and instruct your device accordingly will do the job.



  • @gertjan said in Disable 514 for internal syslog server:

    514 UDP is just the default port.
    Using 5140 UDP for syslog-ng - and instruct your device accordingly will do the job.

    Yup. I wanted to disable the syslogd listening on 514 and only make it listen to sockets. Unfortunately, the other device (the cheap one that would log infrequently) cannot change the port to 5140; just 514.

    And I'm also a bit surprised that pfsense configures it this way instead of with "-s -s" for secure mode, especially since the pfsense syslogd running shouldn't be handling logs from outside sources. (Use syslog-ng for that).



  • @qwerty123 said in Disable 514 for internal syslog server:

    cannot change the port to 5140; just 514

    Port NAT on LAN ?!

    @qwerty123 said in Disable 514 for internal syslog server:

    And I'm also a bit surprised that pfsense configures it this way instead of with "-s -s" for secure mode, especially since the pfsense syslogd running shouldn't be handling logs from outside sources. (Use syslog-ng for that).

    +1



  • @gertjan said in Disable 514 for internal syslog server:

    @qwerty123 said in Disable 514 for internal syslog server:

    cannot change the port to 5140; just 514

    Port NAT on LAN ?!

    Hehe. OK. I forgot about that. This problem is solved.

    @gertjan said in Disable 514 for internal syslog server:

    @qwerty123 said in Disable 514 for internal syslog server:

    And I'm also a bit surprised that pfsense configures it this way instead of with "-s -s" for secure mode, especially since the pfsense syslogd running shouldn't be handling logs from outside sources. (Use syslog-ng for that).

    +1

    While I solved my problem, I'm still curious to know about the installed syslogd server listening on a network port. Things that I have logging to it are using a file socket. Maybe I'll submit an enhancement request for this one.



  • @qwerty123 I am having sort of a similar problem with the display of the logs on ArcSight. I dont know how to get them to display accordingly on it.


  • Netgate Administrator

    That seems like you're trying to export the pfSense logs..... which is completely different to the issue here. Please start a new thread.

    Steve