Syslog Configuration
-
Hi everyone. Hoping that someone could point me in the right direction on what to do for sys logging. I had pfsense dumping the logs to a trial of Splunk just to have the log files somewhere, but having that data is kind of useless if there is no good way to search it. It would be nice to have a relatively simple setup to do searches for things like IP addresses using a source port, and maybe sorted by a timeframe. I'm sure splunk can probably do this, but I didn't see any type of templates and it seems like it could take a lot of time to figure out how to simply get it to understand the output from pfsense.
Just curious what type of syslog servers everyone might be using and if they have any type of templates to quickly search the logs for data. I'm thinking that I should look into getting a PHP script to query the database so you can type parameters into it and it will extract all of the information required. It might even be beneficial to look into how the logging is brought to the syslog server and have it parsed to the database into fields. Then that would make it a lot easier to create queries on.
-
Personally I just keep the raw logs and if I want something, I grep for it (or zgrep, or bzgrep, if the logs have been rotated/archived) :-)
I realize that's not ideal for most people, but I rarely have to go back to old logs, it's just nice to have them handy.
To do some of what you want requires a system like Splunk that would put the logs into a database and give you a nice GUI to wrap them up in. If others have suggestions for similar (hopefully free) products it would be nice to know.
We are working on a central management system for pfSense that will include central logging functions, but that will not be a free product when it happens