Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Remote Logging over VPN (Syslog-NG?)

    Scheduled Pinned Locked Moved
    pfSense Packages
    2
    2
    877
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wblanton
      last edited by

      I need to reliably collect logs over a VPN connection. I'm currently just using the "Enable Remote Logging" option, but obviously this doesn't work when the VPN tunnel is down. Coincidentally, the logging I most likely wish to see is while the tunnels are down. Would a package such as Syslog-NG be able forward any log entries after the tunnels are restored so that I'm still able to consolidate these messages?

      awebsterA 1 Reply Last reply Reply Quote 0
      • awebsterA
        awebster @wblanton
        last edited by

        @wblanton I don't think the built-in syslog has the capability to store and forward syslog messages.
        I did find this article where the author uses rsyslog to do what you describe, but I don't know if/how you can get that working inside pfSense, as there is no rsyslog package available.

        Depending on your environment, you could conceivably run the rsyslog on a *nix box/vm beside the pfSense and have pfSense forward its syslog output to this box which in turn is responsible to forward it to your central syslog over VPN, and it would queue up whatever it can't send until the link is restored.
        Ultimately though, this whole concept relies on the fact that TCP is a reliable transport, but there is no validation that log message "x" was successfully recorded on the central server.
        Furthermore, in the event of a link outage, using the above system, once the link is restored a stream of log messages would be added to the central syslog, which would then not have a linear view of time. Your central syslog would have to record the message generation time separately from the message reception time. A mechanism would be required to view records at the time they were generated, not simply received, since they could conceivably be out of order.

        –A.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post