Syslog - Report 'customisation'



  • Is there anywhere that I can reconfigure the report/priority level of the syslog messages - if not can it be added as a 'feature' request

    i.e Packets blocked and passed all come back as 'local0.info' - well to my mind a blocked should not be the same level as a pass - the ability to filter my syslog messages logically has been a pain for a long time - given that a blocked packet results in 2 messages, the first is easy to spot as it contains 'block' but the associated message isn't so easy to align. The problem is that the second line is the one containing the IP of the culprit and destination.

    I can filter on the message type easily - i.e. local0.info or local1.info - but pFSense allocates the same priority/type to a pass message (which I don't care overmuch about but want to retain sometimes for diagnostic purposes) - they are all local0.info - for me a block should be higher in the priority order than a pass.

    This is the list defined by Syslog standards - question is can I customise how the messages from pFSense are allocated a priority.

    Numerical            Facility
                Code

    0            kernel messages
                  1            user-level messages
                  2            mail system
                  3            system daemons
                  4            security/authorization messages
                  5            messages generated internally by syslogd
                  6            line printer subsystem
                  7            network news subsystem
                  8            UUCP subsystem
                  9            clock daemon
                10            security/authorization messages
                11            FTP daemon
                12            NTP subsystem
                13            log audit
                14            log alert
                15            clock daemon (note 2)
                16            local use 0  (local0)
                17            local use 1  (local1)
                18            local use 2  (local2)
                19            local use 3  (local3)
                20            local use 4  (local4)
                21            local use 5  (local5)
                22            local use 6  (local6)
                23            local use 7  (local7)

    PPS : I Know about syslog.conf but this seems to indicate that all rule filter reports (local0.*) go to the local /var/log/filter.log .. this is not what I require - I want to prioritise messages and put in different logs based on priority i.e all blocked go to local1.alert or local1.info


Log in to reply