IPSec Logging Customization

  • I'm working on attempting to make the IPSec log more valuable by removing the less important informational chatter and having an output that is more readable for auditing user VPN connections as well as adding an identifier field so I know what log lines are associated with what IPSec User via IPsec static IP Address or Identifier for the Key entry.  Currently, I'm pulling this information into a centralized rsyslog remotely and outputing it to a single pfsense log file rather than the main syslog.

    Is there a way to modify the Racoon output within pfsense to include custom fields where I can add a custom column (such as pulling from the IPsec Identifier field based on the key connecting to racoon for IPsec or which IPsec IP address they are receiving) for each connection based on the static IPsec IP that they use upon connecting?


    racoon: [Unknown Gateway/Dynamic]: [IPsec Identifier] INFO: IPsec-SA expired: ESP/Tunnel ...[0]-> ...[0] spi=XXXXXX(000000)

    It's difficult to create a report based on the logs without having some kind of identifier field which tells you what client is generating what message to pull them into a report for each use and what external IPs are using each one.

    If anyone has any ideas it would be greatly appreciated, thank you!