More Logging



  • My pfsense is running on a 32G SSD Sata III drive with a dual core CPU and 4Gigs of RAM. I'm currently using 2% of my hard drive, which is great because I want to do some more intense logging. How can I configure pfsense to store more logs and greater detail locally. Are the logs stored in RAM? I'd like to be sure the logs survive a reboot.

    I'm running spamd, and I can't find the log entry for blocked emails.



  • @ant2ne:

    My pfsense is running on a 32G SSD Sata III drive with a dual core CPU and 4Gigs of RAM. I'm currently using 2% of my hard drive, which is great because I want to do some more intense logging. How can I configure pfsense to store more logs and greater detail locally. Are the logs stored in RAM? I'd like to be sure the logs survive a reboot.

    I'm running spamd, and I can't find the log entry for blocked emails.

    With a SSD you probably want minimum logging or else you're going to burn through the drive pretty quick.



  • @coolspot:

    With a SSD you probably want minimum logging or else you're going to burn through the drive pretty quick.

    Do some more reading on this subject because you are telling an old story. ;)

    As an example: http://www.anandtech.com/show/6459/samsung-ssd-840-testing-the-endurance-of-tlc-nand

    OP: the log files are in /var/log and the settings cannot be changed easily and must be set per process, are overwritten when you update etc.


  • Netgate Administrator

    Easiest way to setup more longterm logging on the box is to run a syslog server. A helpful forum user has packaged up syslog-ng for the purpose but it's only available for 2.1.
    http://forum.pfsense.org/index.php/topic,53819.0.html

    Steve



  • I started working on setting up a syslog server. The server I'm using is an ubuntu server. I got it to send the logs, but I'm struggling with getting it to go someplace other than the same old syslog.

    I'm kind of surprised the pfsense doesn't offer a package or feature for more robust logging. If there is a security issue, sometimes those issues aren't noticed right away. It could be days or weeks before the compromised system is noticed. And then the logs would be gone.



  • @ant2ne:

    I got it to send the logs, but I'm struggling with getting it to go someplace other than the same old syslog.

    What is it you want? You can send pfSense log entries to another system. syslog on Ubuntu can be configured to put loging entries to a variety of destinations.



  • @ant2ne:

    I started working on setting up a syslog server. The server I'm using is an ubuntu server. I got it to send the logs, but I'm struggling with getting it to go someplace other than the same old syslog.

    I'm kind of surprised the pfsense doesn't offer a package or feature for more robust logging. If there is a security issue, sometimes those issues aren't noticed right away. It could be days or weeks before the compromised system is noticed. And then the logs would be gone.

    I agree with you ….. pfsense has all of these packages and feature but nothing significant to aid the admin in monitoring security issues easily.



  • syslog + netflow is about all you're going to get out of any firewall. A firewall is not a NSM device. Adding in Security Onion for NSM goes a long way for proper forensics and in-depth monitoring. The tools it runs are extremely resource-intensive (CPU, RAM, disk) by their nature though, something that should be run on a separate system (or VM).



  • @cmb:

    syslog + netflow is about all you're going to get out of any firewall. A firewall is not a NSM device. Adding in Security Onion for NSM goes a long way for proper forensics and in-depth monitoring. The tools it runs are extremely resource-intensive (CPU, RAM, disk) by their nature though, something that should be run on a separate system (or VM).

    You would think there would more discussion in the forum on NSM devices such as Security Onion. By no means am aware of all the crap that's getting through that shouldn't be, and would be great to have better tools for monitoring security.

    I do plan on doing a Kail Linux install to learn a bit about the security tools used in pin testing a network. http://www.kali.org/ also look at some of the optional NSM open source software available? More suggestions and methods of monitoring would be appreciated.

    It seems to me most users just feel confident there safe just because they have a firewall ….. but nothing can be further from the truth.



  • @wallabybob:

    @ant2ne:

    I got it to send the logs, but I'm struggling with getting it to go someplace other than the same old syslog.

    What is it you want? You can send pfSense log entries to another system. syslog on Ubuntu can be configured to put loging entries to a variety of destinations.

    I'm not able to get it to put the logs into its own log file. I'm not sure exactly what I'm doing wrong. Do you have a good tutorial for ubuntu 12.04?

    I think the wonder of pfsense is you can build your own hardware to suit your own needs. So if I'm running a nice little powerful system and I want to have the hard drive space, I should be able to have some good logging.



  • @ant2ne:

    I'm not able to get it to put the logs into its own log file. I'm not sure exactly what I'm doing wrong. Do you have a good tutorial for ubuntu 12.04?

    I don't understand. Do you mean you have configured pfSense to syslog to the Ubuntu system and you don't see any entries from your pfSense box in the Ubuntu syslog?

    I send my pfSense logs to a system based on an old version of Centos (a Linux variant). On Centos I had to start syslog with a command line option to accept log entries from remote systems and tweak the syslog configuration file to accept syslog records from the IP address of my pfSense box. I expect you will need to do at least similar tweaks to the Ubuntu system. I believe there are at least two different syslog programmes that are commonly used in Linux systems. The default on my Ubuntu 12.04 seems to be rsyslogd which is described by the rsyslogd man page.



  • @wallabybob:

    @ant2ne:

    I'm not able to get it to put the logs into its own log file. I'm not sure exactly what I'm doing wrong. Do you have a good tutorial for ubuntu 12.04?

    I don't understand. Do you mean you have configured pfSense to syslog to the Ubuntu system and you don't see any entries from your pfSense box in the Ubuntu syslog?

    I send my pfSense logs to a system based on an old version of Centos (a Linux variant). On Centos I had to start syslog with a command line option to accept log entries from remote systems and tweak the syslog configuration file to accept syslog records from the IP address of my pfSense box. I expect you will need to do at least similar tweaks to the Ubuntu system. I believe there are at least two different syslog programmes that are commonly used in Linux systems. The default on my Ubuntu 12.04 seems to be rsyslogd which is described by the rsyslogd man page.

    No, the events go into the /va/log/syslog on the ubuntu server. But that is mess. I'd rather they go into a separate file like /var/log/pfsenselog



  • @ant2ne:

    No, the events go into the /va/log/syslog on the ubuntu server. But that is mess. I'd rather they go into a separate file like /var/log/pfsenselog

    I believe from my reading of the man page for rsyslogd that what you want is possible with rsyslogd, but I haven't done it.

    I suggest you read the man page for whatever system logger you are using and (if necessary) then ask in the Ubuntu forums.


  • Rebel Alliance Developer Netgate

    That's possible with any syslog daemon that I've used. Check the man page, look for host filters.

    1. Make sure the host is resolvable via REVERSE DNS, usually this means an /etc/hosts entry
    2. Use something like this:

    !*
    +*
    +mypfsensehostname
    *.*                                             /var/log/pfsense.log
    

Log in to reply