WallWatcher 3.3.37 (Final) and pfsense

rizwan602

Hello,

I have been successfully using WallWatcher with m0n0wall for a year now; and recently I upgraded to pfsense 2.01. I can get the SYSLOG to send data to the machine running WallWatcher but the "formatting" seems to be wrong. There is no protocol information, or remote ip address and the remote name/message contains data that looks like "<134>feb 8 10:23:37 pf:00:00:04 131447 rule 55/0(match)".

I set the router type to pfsense but this does not seem to matter.

I have 1 LAN interface and 6 WAN interfaces. They are em0 and fxp0 through fxp5.

What am I doing wrong here? I've seen on the web that others are using pfsense and wallwatcher successfully.

Thank you,

Rizwan

Cino

I used WallWatcher for a while when I was running pfSense 1.2.3… Worked great. After upgrading to pfSense 2.0, WallWatcher couldn't phrase/format the syslog correctly. I did contact the developers of WallWatcher for them to create another profile for pfSense 2.0 but received no response. A few months later, the development has stopped for WallWatcher.

The successfully use of pfSense with WallWatcher are probably running pfSense 1.x.x

You could play with the different logging settings within pfSense to see if that helps. I think when I was running 1.2.3 I had to have 'Firewall events' checked only...

johnpoz

The problem with wallwatcher might be that the syslog messages are split.  I had noticed this in my syslogs and per the code given this bug by Francis Turner I was able fix up the split in the syslog messages

http://redmine.pfsense.org/issues/1938

I would have to fire up wallwatcher to see if this fixes the issue your seeing.  But either way you might want to look at that code that Francis provided.  I currently have it running.

I am currently running
2.1-DEVELOPMENT (i386)
built on Fri Nov 25 17:45:38 EST 2011
FreeBSD 8.1-RELEASE-p6

And I gitsync prob about once a week.  Not sure if this code has been - when I get a chance I will double check to see if my syslog has reverted to being split, and will fire up wallwatcher to see if works with non split syslog.

Cino

johnpoz, thank you for sharing this! I'll have to give this a try myself and see if it works.  I always thought it was WallWatcher issue as I didn't see the same issue with kiwi. I haven't used external logging in a few months and been meaning to turn it back on.

johnpoz

you were not seeing split syslog entries with kiwi?

I run syslog watcher http://www.snmpsoft.com/syslogwatcher/syslog-server.html and was seeing them - here are some example from before and current

jimp

http://redmine.pfsense.org/issues/1938