Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Syslog

    Firewalling
    3
    4
    1.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      BenKenobe
      last edited by

      It's hard to put a subject line that is meaningful.

      I send all alert and warning events to a syslog server, this is fine works OK - BUT - is there any way to make pFSense sent the whole 'event' as one instead of the 'two' that it currently has i.e. first you get the 'block' or 'pass' message and then you get the IP details of the offender - this makes it impossible to filter, if you filter on IP you get only the IP's not the ''block or pass" if you filter on "block or pass" you don't get the IP … catch 22.

      Is it possible to either add some sort of event ID or combine the two into one? i.e. I want to record either blocked or passed but I want to filter the 'entire' event and have all information present. I'm trying to find out why the 'default block' rule is blocking legitimate connections from the LAN to the outside world, connections that are implicitly permitted by the LAN 'pass all' rule - I'm also trying to find out why our BT Vision box is getting error 412 and 424.

      here is an example of unfiltered
      30-08-2013 09:37:44 Local0.Info 192.168.1.254 Aug 30 09:37:44 pf:    192.168.1.8.39364 > 74.125.24.95.443: Flags [F.], cksum 0x4dee (correct), seq 944889735, ack 3664817649, win 408, options [nop,nop,TS val 3915728 ecr 697359698], length 0
      30-08-2013 09:37:44 Local0.Info 192.168.1.254 Aug 30 09:37:44 pf: 00:00:25.957529 rule 1/0(match): block in on re0: (tos 0x0, ttl 64, id 12486, offset 0, flags [DF], proto TCP (6), length 52)
      30-08-2013 09:37:18 Local0.Info 192.168.1.254 Aug 30 09:37:18 pf:    192.168.1.8.39151 > 74.125.24.95.443: Flags [F.], cksum 0x99ec (correct), seq 1995809548, ack 673348562, win 764, options [nop,nop,TS val 3915324 ecr 660960969], length 0
      30-08-2013 09:37:18 Local0.Info 192.168.1.254 Aug 30 09:37:18 pf: 00:00:05.971297 rule 1/0(match): block in on re0: (tos 0x0, ttl 64, id 30827, offset 0, flags [DF], proto TCP (6), length 52)
      30-08-2013 09:37:12 Local0.Info 192.168.1.254 Aug 30 09:37:12 pf:    192.168.1.8.39364 > 74.125.24.95.443: Flags [F.], cksum 0x53f2 (correct), seq 944889735, ack 3664817649, win 408, options [nop,nop,TS val 3914188 ecr 697359698], length 0
      30-08-2013 09:37:12 Local0.Info 192.168.1.254 Aug 30 09:37:12 pf: 00:00:00.970786 rule 1/0(match): block in on re0: (tos 0x0, ttl 64, id 12485, offset 0, flags [DF], proto TCP (6), length 52)

      here is an example of filtered by IP (same events - I think?)

      30-08-2013 09:37:18 Local0.Info 192.168.1.254 Aug 30 09:37:18 pf:    192.168.1.8.39151 > 74.125.24.95.443: Flags [F.], cksum 0x99ec (correct), seq 1995809548, ack 673348562, win 764, options [nop,nop,TS val 3915324 ecr 660960969], length 0
      30-08-2013 09:37:18 Local0.Info 192.168.1.254 Aug 30 09:37:18 pf:    192.168.1.8.39151 > 74.125.24.95.443: Flags [F.], cksum 0x99ec (correct), seq 1995809548, ack 673348562, win 764, options [nop,nop,TS val 3915324 ecr 660960969], length 0
      30-08-2013 09:37:12 Local0.Info 192.168.1.254 Aug 30 09:37:12 pf:    192.168.1.8.39364 > 74.125.24.95.443: Flags [F.], cksum 0x53f2 (correct), seq 944889735, ack 3664817649, win 408, options [nop,nop,TS val 3914188 ecr 697359698], length 0

      here is an example of filtered by event - for the same 'events'

      30-08-2013 09:37:44 Local0.Info 192.168.1.254 Aug 30 09:37:44 pf: 00:00:25.957529 rule 1/0(match): block in on re0: (tos 0x0, ttl 64, id 12486, offset 0, flags [DF], proto TCP (6), length 52)
      30-08-2013 09:37:18 Local0.Info 192.168.1.254 Aug 30 09:37:18 pf: 00:00:05.971297 rule 1/0(match): block in on re0: (tos 0x0, ttl 64, id 30827, offset 0, flags [DF], proto TCP (6), length 52)
      30-08-2013 09:37:12 Local0.Info 192.168.1.254 Aug 30 09:37:12 pf: 00:00:00.970786 rule 1/0(match): block in on re0: (tos 0x0, ttl 64, id 12485, offset 0, flags [DF], proto TCP (6), length 52)

      this makes tracking things a time consuming pain in the hole - is there any hidden setting or something that can be done to improve the manner in which events are 'sent' - i.e. some template somewhere, I have looked but found nothing 'relevant'

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        http://redmine.pfsense.org/issues/1938

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • B
          biggsy
          last edited by

          @jimp:

          http://redmine.pfsense.org/issues/1938

          I applied the proposed fix to a 2.0.2 install and, when rebooting, it caused Snort to throw the errors:

          Aug 30 20:35:58 php: : The command '/usr/bin/sed -I '' -f /tmp/sedcmd /usr/local/etc/snort/snort_48586_em0/preproc_rules/preprocessor.rules' returned exit code '1', the output was 'sed: /tmp/sedcmd: No such file or directory'
The command '/usr/bin/sed -I '' -f /tmp/sedcmd /usr/local/etc/snort/snort_48586_em0/preproc_rules/decoder.rules' returned exit code '1', the output was 'sed: /tmp/sedcmd: No such file or directory'
          1 Reply Last reply Reply Quote 0
          • B
            BenKenobe
            last edited by

            Thanks for the input guys, I confess I should read more probably but I don't really have the time so it's good that people here are able to assist.

            I can't wait for this feature to be available ….

            Have applied patch for now, seems to work OK so far

            1 Reply Last reply Reply Quote 0
            • First post
              Last post