Syslog generating logfiles, not sending to remote server

justincm

pfsense ver. 2.7.2

The logs are being generated, I have reset logs and can confirm that the logfiles regenerate and fill.

remote syslog server setup. I can telnet to the port on that IP.

syslog is running

/usr/sbin/syslogd -O rfc3164 -s -c -c -l /var/dhcpd/var/run/log -P /var/run/syslog.pid -f /etc/syslog.conf

The pfsense is not generating any traffic on port 514 to the remote server when running packet capture locally or tcpdump on the syslog server.

/cf/conf/config.xml and /var/etv/syslog.conf both have the correct IP and port for the remote server

What am i missing? Other pfsense running fine with same config.

stephenw10

Do you see a state opened for port 514?

Do you have anything that might block outgoing traffic like Snort or Suricata?

justincm

Nothing blocking traffic.

Gertjan

@justincm said in Syslog generating logfiles, not sending to remote server:

/var/etv/syslog.conf

Doesn't exist.
You meant : /var/etc/syslog.d/pfSense.conf ?

On the last line you saw :

...
*.* 								@192.168.1.4

You've selected "Everything" :

justincm

everything is selected.

the last line is . @Syslog_server_ip_address:port (with the ip).

Gertjan

@justincm

echo -n "hello" | nc -4u -w1 192.168.1.4 514

where 192.168.1.4 is your remote syslog server, and 514 the port.

I saw "hello" popping up in the remote syslog server.
I could packet capture this.

stephenw10

said in Syslog generating logfiles, not sending to remote server:

Do you see a state opened for port 514?

justincm

@Gertjan we are using a rapid7 collector listening on port 10000

I can see no packet popping up on the collector ip address when i run the nc command I see no packet from the pfsense to the collector. Nothing in packet capture either on the pfsense.

If i run the same nc command from another server i see the packet in tcpdump on the collector and in packet capture on the pfsense.

justincm

@stephenw10 No state for 514 udp to the syslog server

Gertjan

@justincm said in Syslog generating logfiles, not sending to remote server:

If i run the same nc command from another server ...

to where ?
Not 'to' pfSense, right, but to another server, like my example : 192.168.1.4, which is my syslog 'collect' server.
In this case, pfSense can't see - you can't packet capture, this information as it never reached pfSense (the pfSense IP)

I was executing this command :

echo -n "hello" | nc -4u -w1 192.168.1.4 514

from the pfSense command line to my syslog server which has 192.168.1.1 (my pfSense IP is 192.168.1.1).

If you run

echo -n "hello" | nc -4u -w1 192.168.1.4 514

from pfSense and you can't packet capture that traffic, then the issue isn't 'syslog' as 'nc' isn't (using the pfSense) syslog.

justincm

I am running the nc command from the pfsense and another server using the syslog server in the command.

from the pfsense, I see no packets reaching the syslog server using tcpdump or see any packets in packet trace on the pfsense itself.

When i run the same nc command from another server, I see the packet using tcpdump on the syslog server and the traffic using packet capture on the pfsense monitoring traffic to the syslog server.

stephenw10

Ok so do you see a state on port 10000 if that's what it's configured for?

If not, and nc also fails, I would check the routing table to make sure the expected route to the syslog server is present.

justincm

@stephenw10 No state for port 10000

route does exist for the interface on the syslog server subnet.

stephenw10

Just to be clear you mentioned port 514 in your first post but your syslog server is configured to listen on port 10000? Is pfSense actually configured to use port 10000?

justincm

@stephenw10

the remote logging is setup to send to port IP_ADDRESS:10000.

on the syslog server I can see in netstat that port 10000 is open

stephenw10

OK cool. Yet you are not seeing either states on port 10000 or packets leaving pfSense on port 10000 when new logs are being generated locally?

justincm

@stephenw10

Correct

Gertjan

@justincm said in Syslog generating logfiles, not sending to remote server:

on the syslog server I can see in netstat that port 10000 is open

Nuance : netstat will show a process that is 'bound' = listen on that port. If all goes well, it the syslog collector port.
That doesn't mean it will actually receive traffic on that port, as the system firewall can still block incoming traffic.

Example : on pfSense :

[25.07.1-RELEASE][root@pfSense.bhf.tld]/root: sockstat -4 | grep 'nginx'
root     nginx      28252 5   tcp4   *:443                 *:*
root     nginx      28252 8   tcp4   *:80                  *:*
root     nginx      28139 5   tcp4   *:443                 *:*
root     nginx      28139 8   tcp4   *:80                  *:*
root     nginx      27732 5   tcp4   *:443                 *:*
root     nginx      27732 8   tcp4   *:80                  *:*

This tells me that nginx, the pfSense web server GUI listen on all (!!) existing pfSense interfaces, and that includes the WAN interface(s).
This doesn't mean that I, and the entire world, can access the pfSense GUI from WAN, as WAN firewall rules won't allow this to happen.