Pfsense log to log management system

fai0

I am current try to feed pfsense 2.1 log to a log management system.
When I try to look into log and I found log is not like traditional pf log I can see pass in / pass out / block in / block out statement on log handled by rules, and what I have got in the logs look like:

Pass log:
Oct  8 15:40:56 xxxx pf:    xxx.168.xxx.xxx.59641 > xxx.xxx.xxx.132.443: Flags ~~, cksum 0x0d81 (correct), seq 3464546058, win 65535, options [mss 1360,nop,wscale 4,nop,nop,TS val 202297292 ecr 0,sackOK,eol], length 0

Block log:
Oct  8 16:00:07 xxxx pf:    xxx.xxx.xxx.121.6000 > xxxx.xxxx.xxxx.123.443: Flags ~~, cksum 0x15ff (correct), seq 169213952, win 16384, length 0

Is there anyway simple way I can tell which is pass log and which is block log? Thanks in advise.~~~~

biggsy

You have only listed the second line of each.

The pass and block log records are split over two lines.

2013-10-08 01:46:57	Local0.Info	192.168.11.1	Oct  8 01:46:57 pf: 00:31:53.784151 rule 92/0(match): pass in on em0: (tos 0x0, ttl 39, id 35779, offset 0, flags [none], proto TCP (6), length 60)
2013-10-08 01:46:57	Local0.Info	192.168.11.1	Oct  8 01:46:57 pf:     aaa.bbb.82.50.37914 > xxx.yyy.34.12.25: Flags [s], cksum 0x9272 (correct), seq 399763710, win 62920, options [mss 1430,sackOK,TS val 3410115388 ecr 0,nop,wscale 6], length 0

This is a "feature" - [url]https://redmine.pfsense.org/issues/1938[/url].  Unfortunately, I've never been able to make the fix work.[/s]

jimp

Try this patch on 2.1:
http://files.pfsense.org/jimp/patches/pf-log-oneline-option.diff

fai0

Thanks and the patch work

biggsy

Great, thanks Jim.

biggsy

No good, sadly.  Tried rebooting too.

2013-10-10 19:50:40	Local0.Info	192.168.11.1	Oct 10 19:48:22 pf: 00:00:00.000000 rule 92/0(match): pass in on em0: (tos 0x0, ttl 55, id 60193, offset 0, flags [DF], proto TCP (6), length 64)
2013-10-10 19:50:40	Local0.Info	192.168.11.1	Oct 10 19:48:22 pf:     aaaa.bbbb.168.152.35251 > xxxx.yyyy.34.12.25: Flags [s], cksum 0x748d (correct), seq 2705755449, win 54658, options [mss 1460,nop,nop,TS val 1644061776 ecr 0,nop,wscale 4,nop,nop,sackOK], length 0

I'm running 2.1-RELEASE (amd64) and only other patch is Marcelloc's interface name patch.  Both show "revert".

Anything I can provide to help to find the problem? 

[/s]

jimp

After applying the patch go into the settings tab on the system logs and check the box to activate it.

biggsy

That did it.

Thanks again.