Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    More Logging

    General pfSense Questions
    8
    14
    3.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      ant2ne
      last edited by

      My pfsense is running on a 32G SSD Sata III drive with a dual core CPU and 4Gigs of RAM. I'm currently using 2% of my hard drive, which is great because I want to do some more intense logging. How can I configure pfsense to store more logs and greater detail locally. Are the logs stored in RAM? I'd like to be sure the logs survive a reboot.

      I'm running spamd, and I can't find the log entry for blocked emails.

      1 Reply Last reply Reply Quote 0
      • C
        coolspot
        last edited by

        @ant2ne:

        My pfsense is running on a 32G SSD Sata III drive with a dual core CPU and 4Gigs of RAM. I'm currently using 2% of my hard drive, which is great because I want to do some more intense logging. How can I configure pfsense to store more logs and greater detail locally. Are the logs stored in RAM? I'd like to be sure the logs survive a reboot.

        I'm running spamd, and I can't find the log entry for blocked emails.

        With a SSD you probably want minimum logging or else you're going to burn through the drive pretty quick.

        1 Reply Last reply Reply Quote 0
        • G
          gogol
          last edited by

          @coolspot:

          With a SSD you probably want minimum logging or else you're going to burn through the drive pretty quick.

          Do some more reading on this subject because you are telling an old story. ;)

          As an example: http://www.anandtech.com/show/6459/samsung-ssd-840-testing-the-endurance-of-tlc-nand

          OP: the log files are in /var/log and the settings cannot be changed easily and must be set per process, are overwritten when you update etc.

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Easiest way to setup more longterm logging on the box is to run a syslog server. A helpful forum user has packaged up syslog-ng for the purpose but it's only available for 2.1.
            http://forum.pfsense.org/index.php/topic,53819.0.html

            Steve

            1 Reply Last reply Reply Quote 0
            • A
              ant2ne
              last edited by

              I started working on setting up a syslog server. The server I'm using is an ubuntu server. I got it to send the logs, but I'm struggling with getting it to go someplace other than the same old syslog.

              I'm kind of surprised the pfsense doesn't offer a package or feature for more robust logging. If there is a security issue, sometimes those issues aren't noticed right away. It could be days or weeks before the compromised system is noticed. And then the logs would be gone.

              1 Reply Last reply Reply Quote 0
              • W
                wallabybob
                last edited by

                @ant2ne:

                I got it to send the logs, but I'm struggling with getting it to go someplace other than the same old syslog.

                What is it you want? You can send pfSense log entries to another system. syslog on Ubuntu can be configured to put loging entries to a variety of destinations.

                1 Reply Last reply Reply Quote 0
                • C
                  Clear-Pixel
                  last edited by

                  @ant2ne:

                  I started working on setting up a syslog server. The server I'm using is an ubuntu server. I got it to send the logs, but I'm struggling with getting it to go someplace other than the same old syslog.

                  I'm kind of surprised the pfsense doesn't offer a package or feature for more robust logging. If there is a security issue, sometimes those issues aren't noticed right away. It could be days or weeks before the compromised system is noticed. And then the logs would be gone.

                  I agree with you ….. pfsense has all of these packages and feature but nothing significant to aid the admin in monitoring security issues easily.

                  HP EliteBook 2530p Laptop - Core2 Duo SL9600 @ 2.13Ghz - 4 GB Ram -128GB SSD
                  Atheros Mini PCI-E as Access Point (AR5BXB63H/AR5007EG/AR2425)
                  Single Ethernet Port - VLAN
                  Cisco SG300 10-port Gigabit Managed Switch
                  Cisco DPC3008 Cable Modem  30/4 Mbps
                  Pfsense 2.1-RELEASE (amd64)
                  –------------------------------------------------------------
                  Total Network Power Consumption - 29 Watts

                  1 Reply Last reply Reply Quote 0
                  • C
                    cmb
                    last edited by

                    syslog + netflow is about all you're going to get out of any firewall. A firewall is not a NSM device. Adding in Security Onion for NSM goes a long way for proper forensics and in-depth monitoring. The tools it runs are extremely resource-intensive (CPU, RAM, disk) by their nature though, something that should be run on a separate system (or VM).

                    1 Reply Last reply Reply Quote 0
                    • C
                      Clear-Pixel
                      last edited by

                      @cmb:

                      syslog + netflow is about all you're going to get out of any firewall. A firewall is not a NSM device. Adding in Security Onion for NSM goes a long way for proper forensics and in-depth monitoring. The tools it runs are extremely resource-intensive (CPU, RAM, disk) by their nature though, something that should be run on a separate system (or VM).

                      You would think there would more discussion in the forum on NSM devices such as Security Onion. By no means am aware of all the crap that's getting through that shouldn't be, and would be great to have better tools for monitoring security.

                      I do plan on doing a Kail Linux install to learn a bit about the security tools used in pin testing a network. http://www.kali.org/ also look at some of the optional NSM open source software available? More suggestions and methods of monitoring would be appreciated.

                      It seems to me most users just feel confident there safe just because they have a firewall ….. but nothing can be further from the truth.

                      HP EliteBook 2530p Laptop - Core2 Duo SL9600 @ 2.13Ghz - 4 GB Ram -128GB SSD
                      Atheros Mini PCI-E as Access Point (AR5BXB63H/AR5007EG/AR2425)
                      Single Ethernet Port - VLAN
                      Cisco SG300 10-port Gigabit Managed Switch
                      Cisco DPC3008 Cable Modem  30/4 Mbps
                      Pfsense 2.1-RELEASE (amd64)
                      –------------------------------------------------------------
                      Total Network Power Consumption - 29 Watts

                      1 Reply Last reply Reply Quote 0
                      • A
                        ant2ne
                        last edited by

                        @wallabybob:

                        @ant2ne:

                        I got it to send the logs, but I'm struggling with getting it to go someplace other than the same old syslog.

                        What is it you want? You can send pfSense log entries to another system. syslog on Ubuntu can be configured to put loging entries to a variety of destinations.

                        I'm not able to get it to put the logs into its own log file. I'm not sure exactly what I'm doing wrong. Do you have a good tutorial for ubuntu 12.04?

                        I think the wonder of pfsense is you can build your own hardware to suit your own needs. So if I'm running a nice little powerful system and I want to have the hard drive space, I should be able to have some good logging.

                        1 Reply Last reply Reply Quote 0
                        • W
                          wallabybob
                          last edited by

                          @ant2ne:

                          I'm not able to get it to put the logs into its own log file. I'm not sure exactly what I'm doing wrong. Do you have a good tutorial for ubuntu 12.04?

                          I don't understand. Do you mean you have configured pfSense to syslog to the Ubuntu system and you don't see any entries from your pfSense box in the Ubuntu syslog?

                          I send my pfSense logs to a system based on an old version of Centos (a Linux variant). On Centos I had to start syslog with a command line option to accept log entries from remote systems and tweak the syslog configuration file to accept syslog records from the IP address of my pfSense box. I expect you will need to do at least similar tweaks to the Ubuntu system. I believe there are at least two different syslog programmes that are commonly used in Linux systems. The default on my Ubuntu 12.04 seems to be rsyslogd which is described by the rsyslogd man page.

                          1 Reply Last reply Reply Quote 0
                          • A
                            ant2ne
                            last edited by

                            @wallabybob:

                            @ant2ne:

                            I'm not able to get it to put the logs into its own log file. I'm not sure exactly what I'm doing wrong. Do you have a good tutorial for ubuntu 12.04?

                            I don't understand. Do you mean you have configured pfSense to syslog to the Ubuntu system and you don't see any entries from your pfSense box in the Ubuntu syslog?

                            I send my pfSense logs to a system based on an old version of Centos (a Linux variant). On Centos I had to start syslog with a command line option to accept log entries from remote systems and tweak the syslog configuration file to accept syslog records from the IP address of my pfSense box. I expect you will need to do at least similar tweaks to the Ubuntu system. I believe there are at least two different syslog programmes that are commonly used in Linux systems. The default on my Ubuntu 12.04 seems to be rsyslogd which is described by the rsyslogd man page.

                            No, the events go into the /va/log/syslog on the ubuntu server. But that is mess. I'd rather they go into a separate file like /var/log/pfsenselog

                            1 Reply Last reply Reply Quote 0
                            • W
                              wallabybob
                              last edited by

                              @ant2ne:

                              No, the events go into the /va/log/syslog on the ubuntu server. But that is mess. I'd rather they go into a separate file like /var/log/pfsenselog

                              I believe from my reading of the man page for rsyslogd that what you want is possible with rsyslogd, but I haven't done it.

                              I suggest you read the man page for whatever system logger you are using and (if necessary) then ask in the Ubuntu forums.

                              1 Reply Last reply Reply Quote 0
                              • jimpJ
                                jimp Rebel Alliance Developer Netgate
                                last edited by

                                That's possible with any syslog daemon that I've used. Check the man page, look for host filters.

                                1. Make sure the host is resolvable via REVERSE DNS, usually this means an /etc/hosts entry
                                2. Use something like this:

                                !*
                                +*
                                +mypfsensehostname
                                *.*                                             /var/log/pfsense.log
                                

                                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                Need help fast? Netgate Global Support!

                                Do not Chat/PM for help!

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.