<![CDATA[Monitoring pfBlockerNG with SyslogNG: but SyslogNG sends the same entire log file each hour to Syslog Server]]>Dear Users,

I just installed and configured pfBlockerNG on a pfSense 2.6 instance and I decided to monitor the pfBlockerNG using SyslogNG.
SyslogNG collect the relevant logs (file /var/log/pfBlockerNG/IP_block.log) and send them to the log collector (SIEM).

So, at the end of this work, I'm able to analyse the logs using the web UI of the SIEM (Wazuh in my case).

PROBLEM: I noticed that, on a hourly basis, the entire log file content is sent to the SIEM. Due to this behaviour, the same alerts are processed multiple times by the SIEM.

Could you please help me to stop this anomaly? Anyone of you already faced this problem?

Thank you in advance,
Mauro

]]>https://forum.netgate.com/topic/180751/monitoring-pfblockerng-with-syslogng-but-syslogng-sends-the-same-entire-log-file-each-hour-to-syslog-serverRSS for NodeSun, 10 May 2026 04:33:42 GMTSat, 10 Jun 2023 17:11:49 GMT60<![CDATA[Reply to Monitoring pfBlockerNG with SyslogNG: but SyslogNG sends the same entire log file each hour to Syslog Server on Sat, 10 Jun 2023 19:47:08 GMT]]>@mauro-tridici To be honest i set mine up to daily updates months before I started using Syslog-ng, because I thought hourly updates are unnessecary. Even on daily updates it’s rare there is changes to the lists that I use, so this is a fine compromise for me.

]]>https://forum.netgate.com/post/1109900https://forum.netgate.com/post/1109900Sat, 10 Jun 2023 19:47:08 GMT<![CDATA[Reply to Monitoring pfBlockerNG with SyslogNG: but SyslogNG sends the same entire log file each hour to Syslog Server on Sat, 10 Jun 2023 18:24:22 GMT]]>@keyser thank you for your feedback.
I hope someone will give us a solution :) Meanwhile, I can set the pfBlocker update to "once a day (02:00)" as you did.
What do you think about this "workaround" to reduce the reloads events?

Have a great weekend,
Mauro

]]>https://forum.netgate.com/post/1109892https://forum.netgate.com/post/1109892Sat, 10 Jun 2023 18:24:22 GMT<![CDATA[Reply to Monitoring pfBlockerNG with SyslogNG: but SyslogNG sends the same entire log file each hour to Syslog Server on Sat, 10 Jun 2023 17:51:03 GMT]]>@mauro-tridici yeah, i noticed the same issue - only in My case it happens once a day (02:00) because thats when i Have pfblocker doing its update.
It seems when pfblocker updates it reloads the logfile in a manner that causes syslog-ng think all the Lines are new.
I have been unable to find a solution so far, so I’ll monitor that thread to see if anyone has a solution

]]>https://forum.netgate.com/post/1109886https://forum.netgate.com/post/1109886Sat, 10 Jun 2023 17:51:03 GMT