Remote syslog severity filtering

n3mmr

I'd like to limit the log messages to send to my remote graylog server to only include certain severity levels, different for each log category.

Can this be done in pfsense (on an sg3100) or do I have to filter on the input in Graylog?

kiokoman

@n3mmr
maybe you can configure syslog-ng, it's an additional package

stephenw10

That would really be the only option in pfSense itself but I'm not sure you can. There is no real 'severity' value used so you'd have to filter by keyword. If that's possible, I've never tried.

It's expected that you filter on the syslog server to only show whatever you need at that time.

Steve

n3mmr

@stephenw10

Anything emanating from the FreeBSD log system has the standard severity levels attached, and can be seen in graylog 2.

The pfsense logs should OF COURSE use the severity level both for deciding what to log at all, what to send to a syslog server and for deciding if smtp notification is appropriate.

stephenw10

Mmm, interesting I guess we just don't show that then. Learn something new everyday.

It's not shown in the log files for individual messages so each file is assigned a severity? More research needed!

Steve

Shawn321

@stephenw10
Interesting indeed:
pfSense can notify us: of expiring Certs, and after a reboot, but apparently not much more.
Packages like arpwatch, nut, add notifications for ARP changes and UPS status.
I just had a system with a failing disk send me an email about the reboot we performed, all the while it was logging fatal disk errors.
Not only should pfSense be aware of syslog severity, we should be able to get notifications for crit, alert, emerg level entries so long as notification is still functioning.
In response to above incident, I've been researching options:

• remote syslog: every entry cleartext to an Internet host: nope
• smartd: so close: smartmontools already installed, but cannot run the smartd daemon. (only covers disk errors)
• zabbix-agent: package is not current. Zabbix svr on Internet: nope.

Could probably accept the risk of cleartext remote syslog, if we could also filter Remote Syslog Contents by severity, in which case virtually nothing would be sent until there is a serious problem.

May 2 14:40:07	kernel		(ada0:ahcich1:0:0:0): RES: 71 04 00 00 00 40 00 00 00 00 00
May 2 14:40:07	kernel		(ada0:ahcich1:0:0:0): ATA status: 71 (DRDY DF SERV ERR), error: 04 (ABRT )
May 2 14:40:07	kernel		(ada0:ahcich1:0:0:0): CAM status: ATA Status Error
May 2 14:40:07	kernel		(ada0:ahcich1:0:0:0): FLUSHCACHE48. ACB: ea 00 00 00 00 40 00 00 00 00 00 00
May 2 14:40:07	kernel		(ada0:ahcich1:0:0:0): Retrying command, 0 more tries remain
May 2 14:40:07	kernel		(ada0:ahcich1:0:0:0): RES: 71 04 00 00 00 40 00 00 00 00 00
May 2 14:40:07	kernel		(ada0:ahcich1:0:0:0): ATA status: 71 (DRDY DF SERV ERR), error: 04 (ABRT )
May 2 14:40:07	kernel		(ada0:ahcich1:0:0:0): CAM status: ATA Status Error
May 2 14:40:07	kernel		(ada0:ahcich1:0:0:0): FLUSHCACHE48. ACB: ea 00 00 00 00 40 00 00 00 00 00 00
May 2 14:40:07	kernel		(ada0:ahcich1:0:0:0): Error 5, Retries exhausted