PfSense syslog and ELSA
-
Otherwise track down the commit(s) for the syslog source address selection and apply them manually.
Hi Jim,
I found this revision, https://redmine.pfsense.org/projects/pfsense/repository/revisions/53c5407e646028a003b2765a87dd3316b21a9497
Would the steps involved be to replace the two files with the ones on this site.
/etc/inc/system.ini
/usr/local/www/diag_logs_setings.php -
You should be able to use the system patches package to apply that patch. Taking the whole files might get other changes that would have unintended consequences.
-
Do you have a link that you could share?
-
http://doc.pfsense.org/index.php/System_Patches
-
Ditch the route, update to 2.1.1, then Status > System Logs, Settings tab, pick LAN for the source address. :-)
Hi Jimp,
Thanks for the direction on getting the Syslog to work thru the VPN tunnel. Works well!
I believe that "System:NOTIFICATION / SMTP" has this same issue.
I have "DNS Forwarder" set to forward "mail.domain.com" to a 10.10.10.5, I have the Notification "Email server" set to "mail.domain.com" and the emails never go out.
If I change the "Email Server" in Notification to 10.10.10.5, the emails don't go out.
When i change "mail.domain.com" to the External IP address of the mail server, the email go thru, as this sends the email out thru the internet to get to my mail server.
Would prefer the mail to stay within my VPN tunnel if possible.
-
Not relevant to this thread, but that would require a route, the smtp client doesn't have a way to force the source address. Start a new thread if you want to discuss alternatives.
-
Not relevant to this thread, but that would require a route, the smtp client doesn't have a way to force the source address. Start a new thread if you want to discuss alternatives.
Hi Jimp,
I posted my question to the group without any replies, would you have any suggestions?
https://forum.pfsense.org/index.php/topic,72149.msg394065.html#msg394065
-
The logs from pfsense for ICMP packets (and ESP, IGMP maybe other protocols as well) have more than one space in front of the ip address part (after applying the "oneline" patch). Therefore you need additional patterns in the patterndb.xml file of elsa, i.e.
for "class 2" - (FIREWALL_ACCESS_DENY)
<pattern>@ESTRING:: block in on @@ESTRING:s0:: (@@ESTRING::proto @@ESTRING:i0: @@ESTRING:: @@IPv4:i1:@@ESTRING:: @@ESTRING:: @@IPv4:i3:@@ANYSTRING@</pattern>and for "class 3" - (FIREWALL_CONNECTION_END)
<pattern>@ESTRING:: pass in on @@ESTRING:s0:: (@@ESTRING::proto @@ESTRING:i0: @@ESTRING:: @@IPv4:i1:@@ESTRING:: @@ESTRING:: @@IPv4:i3:@@ANYSTRING@</pattern>There is an additional 'problem' with the pfSense logs in elsa:
The delimiter between ip addresses an the port numbers is a "dot". This is no valid delimiter for the sphinx search engine of elsa. So the search for an ip address isn't working in elsa.To solve this issue I have added an addition sed command for external logging in pfsense in
/etc/inc/filter.inc to substitute this dots by a colon:$oneline = isset($config['syslog']['pflog_oneline']) ? " | /usr/bin/sed -l -e 'N;s/\\n //;P;D;' | /usr/bin/sed -l -e 's/\\(.* \ \)\\(\\([0-9]\\{1,3\\}\\.\\)\\{3\\}[0-9]\\{1,3\\}\\)\\.\\([0-9]\\{1,5\\}\\)\\( .* \\)\\(\\([0-9]\\{1,3\\}\\.\\)\\{3\\}[0-9]\\{1,3\\}\\) \\.\\([0-9]\\{1,5\\}\\)\\(.*\\)/\\1\\2:\\4\\5\\6:\\8\\9/' " : " ";Maybe there is a better solution.
-
The logs from pfsense for ICMP packets (and ESP, IGMP maybe other protocols as well) have more than one space in front of the ip address part (after applying the "oneline" patch). Therefore you need additional patterns in the patterndb.xml file of elsa, i.e.
Maybe there is a better solution.
Did you try to post to the ELSA Google Group? Maybe they would have some suggestions?
https://groups.google.com/forum/#!forum/enterprise-log-search-and-archive
-
If you're on 2.1, add this patch:
http://files.pfsense.org/jimp/patches/pf-log-oneline-option.diffAnd then check the box on the system log settings to force the firewall logs to one line.
If you're on 2.0.x, use this patch instead:
http://files.pfsense.org/jimp/patches/pf-log-oneline-option-2.0.x.diffRunning 2.1.1. Adding that patch always shows that it cannot be applied. Any tips?
-
Try this one:
http://files.pfsense.org/jimp/patches/pf-log-oneline-option-2.1.1.diff
-
Try this one:
http://files.pfsense.org/jimp/patches/pf-log-oneline-option-2.1.1.diff
Loading this page comes up with a 403 Forbidden error?
-
Try again now, I just noticed and fixed that
-
Works.. Thanks Jim.
-
Try this one:
http://files.pfsense.org/jimp/patches/pf-log-oneline-option-2.1.1.diff
Can apply that patch now, but it doesn't work. Logs are still split on 2 lines.
Diagnostics>Command Prompt:
$ /etc/rc.d/syslogd restart Stopping syslogd. Starting syslogd.log sample (sanitized)
2014-04-10T14:38:53+03:00 somehost pf: 00:00:31.932924 rule 3/0(match): block in on em1: (tos 0x0, ttl 54, id 48381, offset 0, flags [DF], proto TCP (6), length 60) 2014-04-10T14:38:53+03:00 somehost pf: xxx.xxx.xxx.xxx.53883 > yyy.yyy.yyy.yyy.80: Flags [s], cksum 0x158f (correct), seq 1628583023, win 14600, options [mss 1460,sackOK,TS val 2583988370 ecr 0,nop,wscale 7], length 0 [/s] -
Did you enable the option in the system log settings after applying the patch? It doesn't default to on.
-
Did you enable the option in the system log settings after applying the patch? It doesn't default to on.
Knew I would brainfart at some point today. Forgot about that setting, will try when I get back and report back.
Tested after upgrading to 2.1.2 and working as expected after enabling it in the settings. Thank you
-
Try this one:
http://files.pfsense.org/jimp/patches/pf-log-oneline-option-2.1.1.diff
any love for pfsense 2.1.2 and 2.1.3?
-
That patch works for me on 2.1.3.
-
I have had some issues with this patch also. Worked on most machines but one of them I had to remove the patch, reboot and then re-enable the patch to get it to work?
