Remote syslog severity filtering

n3mmr · Jan 16, 2021, 1:25 PM

I'd like to limit the log messages to send to my remote graylog server to only include certain severity levels, different for each log category.

Can this be done in pfsense (on an sg3100) or do I have to filter on the input in Graylog?

kiokoman · Jan 16, 2021, 5:04 PM

@n3mmr
maybe you can configure syslog-ng, it's an additional package

stephenw10 · Jan 16, 2021, 8:54 PM

That would really be the only option in pfSense itself but I'm not sure you can. There is no real 'severity' value used so you'd have to filter by keyword. If that's possible, I've never tried.

It's expected that you filter on the syslog server to only show whatever you need at that time.

Steve

n3mmr · Jan 17, 2021, 1:33 PM

@stephenw10

Anything emanating from the FreeBSD log system has the standard severity levels attached, and can be seen in graylog 2.

The pfsense logs should OF COURSE use the severity level both for deciding what to log at all, what to send to a syslog server and for deciding if smtp notification is appropriate.

stephenw10 · Jan 17, 2021, 6:29 PM

Mmm, interesting I guess we just don't show that then. Learn something new everyday.

It's not shown in the log files for individual messages so each file is assigned a severity? More research needed!

Steve

Shawn321

@stephenw10
Interesting indeed:
pfSense can notify us: of expiring Certs, and after a reboot, but apparently not much more.
Packages like arpwatch, nut, add notifications for ARP changes and UPS status.
I just had a system with a failing disk send me an email about the reboot we performed, all the while it was logging fatal disk errors.
Not only should pfSense be aware of syslog severity, we should be able to get notifications for crit, alert, emerg level entries so long as notification is still functioning.
In response to above incident, I've been researching options:

remote syslog: every entry cleartext to an Internet host: nope
smartd: so close: smartmontools already installed, but cannot run the smartd daemon. (only covers disk errors)
zabbix-agent: package is not current. Zabbix svr on Internet: nope.

Could probably accept the risk of cleartext remote syslog, if we could also filter Remote Syslog Contents by severity, in which case virtually nothing would be sent until there is a serious problem.

May 2 14:40:07	kernel		(ada0:ahcich1:0:0:0): RES: 71 04 00 00 00 40 00 00 00 00 00
May 2 14:40:07	kernel		(ada0:ahcich1:0:0:0): ATA status: 71 (DRDY DF SERV ERR), error: 04 (ABRT )
May 2 14:40:07	kernel		(ada0:ahcich1:0:0:0): CAM status: ATA Status Error
May 2 14:40:07	kernel		(ada0:ahcich1:0:0:0): FLUSHCACHE48. ACB: ea 00 00 00 00 40 00 00 00 00 00 00
May 2 14:40:07	kernel		(ada0:ahcich1:0:0:0): Retrying command, 0 more tries remain
May 2 14:40:07	kernel		(ada0:ahcich1:0:0:0): RES: 71 04 00 00 00 40 00 00 00 00 00
May 2 14:40:07	kernel		(ada0:ahcich1:0:0:0): ATA status: 71 (DRDY DF SERV ERR), error: 04 (ABRT )
May 2 14:40:07	kernel		(ada0:ahcich1:0:0:0): CAM status: ATA Status Error
May 2 14:40:07	kernel		(ada0:ahcich1:0:0:0): FLUSHCACHE48. ACB: ea 00 00 00 00 40 00 00 00 00 00 00
May 2 14:40:07	kernel		(ada0:ahcich1:0:0:0): Error 5, Retries exhausted