Problem / Error with enabling Syslog-ng

michel2013 · Apr 21, 2014, 11:50 AM

I'm currently facing some problems with a server that is already running on location. Sometimes the server is unreachable and when I then check I see some swap problems. Don't have the exact error message available right now.

Currently running pfsense 2.1 with 4Gb ram and 8Gb swap, so something goes wrong seriously.

To check what goes wrong exactly I want to install a Syslog server to write the log files to the HDD by adding the syslog-ng package.

My configuration and the error looks like after hitting the save button. When opening services/ Syslog-ng again it is not enabled:

Changing the \usr\local\etc\syslog-ng.conf file and changing the property @version 3.3 to @version 3.5 doesn't have any effect (after a reboot the header is changed back again to @version 3.3). Still getting the same error on the 'general' tab.

Any ideas?

Let the pfsense system log to and external syslog server is not possible at the moment.

michel2013 · Apr 24, 2014, 7:45 PM

It looks like nobody uses the package syslog-ng anymore :-\

I ended up by installing the syslog-ng package manually:

1: pkg_add -r syslog-ng
2: Create syslog-ng.conf file in /usr/local/etc (added my config file to the post, !change your localhost ip!)
3: Add```
syslog_ng_enable="YES"

4: Renam file **/usr/local/etc/rc.d/syslog-ng** to **/usr/local/etc/rc.d/syslog-ng.sh** _–> This should auto start syslog-ng on pfsense startup _
5: Check if syslog-ng can be started by running from command:```
/usr/local/etc/rc.d/syslog-ng start

6: If it runs, setup log settings pfsense by the web interface. See attached screenshot.
7: Watch folder /var/log/syslog-ng for new logs 8)
8: Reboot pfsense if nothing happens
9: You might want to disable the default syslog in the /etc/default/rc.conf file by setting it to```
syslogd_enable="NO"


Log settings tab:
![](http://i.imgur.com/bN53Vgb.png)

syslog-ng.conf:

Created by Michel

@version:3.3

This sample configuration file is essentially equilivent to the stock

FreeBSD /etc/syslog.conf file.

options { chain-hostnames(off); flush_lines(5); };

sources

source pfsense_logging {
unix-dgram("/var/run/log");
unix-dgram("/var/run/logpriv" perm(0600));
syslog(transport(udp) port(514) ip(192.168.8.110));
internal();
#file("/dev/klog");
};

destination

destination firewall {
file("/var/log/syslog-ng/$DAY$MONTH$YEAR/filter.log"
create_dirs(yes));
};
destination vpn {
file("/var/log/syslog-ng/$DAY$MONTH$YEAR/vpn.log"
create_dirs(yes));
};
destination portalauth {
file("/var/log/syslog-ng/$DAY$MONTH$YEAR/portalauth.log"
create_dirs(yes));
};
destination dhcp {
file("/var/log/syslog-ng/$DAY$MONTH$YEAR/dhcpd.log"
create_dirs(yes));
};
destination messages {
file("/var/log/syslog-ng/$DAY$MONTH$YEAR/messages.log"
create_dirs(yes));
};
destination cron {
file("/var/log/syslog-ng/$DAY$MONTH$YEAR/cron.log"
create_dirs(yes));
};
destination auth {
file("/var/log/syslog-ng/$DAY$MONTH$YEAR/auth.log"
create_dirs(yes));
};
destination sshlockout {
program("/usr/local/sbin/sshlockout_pf");
};

destination ntpd {
file("/var/log/syslog-ng/$DAY$MONTH$YEAR/ntpd.log"
create_dirs(yes));
};
destination ipsec {
file("/var/log/syslog-ng/$DAY$MONTH$YEAR/ipsec.log"
create_dirs(yes));
};
destination openvpn {
file("/var/log/syslog-ng/$DAY$MONTH$YEAR/openvpn.log"
create_dirs(yes));
};

Define filters

Level Filters

filter f_emerg { level (emerg); };
filter f_alert { level (alert .. emerg); };
filter f_crit { level (crit .. emerg); };
filter f_err { level (err .. emerg); };
filter f_warning { level (warning .. emerg); };
filter f_notice { level (notice .. emerg); };

Facility Filters

filter f_auth { facility(auth, authpriv); };
filter f_authpriv { facility(authpriv); };
filter f_syslog { facility (syslog); };
filter f_cron { facility (cron); };
#filter f_local0 { facility (local0); };
filter f_local1 { facility (local1); };
filter f_local2 { facility (local2); };
filter f_local3 { facility (local3); };
filter f_local4 { facility (local4); };
filter f_local5 { facility (local5); };
filter f_local6 { facility (local6); };
filter f_local7 { facility (local7); };
filter ntp {program (ntpd); };
filter f_racoon {program (racoon); };
filter f_openvpn {program (openvpn); };
#filter f_firewall-drop { facility (local0) and match(regexp value("drop")); };
filter f_firewall-pass { facility (local0) and match(regexp value("pass")); };

#log { source(pfsense_logging); filter(f_local0); destination(firewall); };
log { source(pfsense_logging); filter(f_firewall-pass); destination(firewall); };
log { source(pfsense_logging); filter(f_local3); destination(vpn); };
log { source(pfsense_logging); filter(f_local4); destination(portalauth); };
log { source(pfsense_logging); filter(f_local7); destination(dhcp); };
#log { source(pfsense_logging); filter(f_cron); destination(cron); };
log { source(pfsense_logging); filter(f_auth); destination(auth); };
log { source(pfsense_logging); filter(f_auth); destination(sshlockout); };
log { source(pfsense_logging); filter(ntp); destination(ntpd); };
log { source(pfsense_logging); filter(f_racoon); destination(ipsec); };
log { source(pfsense_logging); filter(f_openvpn); destination(openvpn); };
log { source(pfsense_logging); destination(messages); };

michel2013 · Apr 25, 2014, 2:28 PM

One extra note:

After setting up everything as described earlier I see the following in the System Activity screen:
So It seems when running syslog-ng as server it consumes some of your CPU resources.