Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pass username in syslog message

    Captive Portal
    2
    5
    738
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Josef
      last edited by

      Hello,

      I am sending firewall logs to a syslog server. So I have 'Firewall Events' ticked in the remote logging options.
      So it sends a syslog message to my syslog server upon each connection with all the relevant IP information.

      I have a captive portal configuration.
      What I would like, is the username of the authenticated user to be passed in the syslog message so that I have a per user audit trail for each connection.
      This is a public service and I need to keep a record of this for lawful reasons.

      Does anyone know how I could go about this?
      Am I asking a bit much here?

      Thanks all.

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by

        @Josef:

        I have a captive portal configuration.
        What I would like, is the username of the authenticated user to be passed in the syslog message so that I have a per user audit trail for each connection.
        This is a public service and I need to keep a record of this for lawful reasons.

        This is how it works by default.

        Look at my Portal syslog:

        06-23-2014	17:08:41	Local4.Info	192.168.1.1	Jun 23 17:08:47 logportalauth[41345]: LOGIN: 202, a0:0b:ba:e4:ff:c1, 192.168.2.40
06-23-2014	17:01:11	Local4.Info	192.168.1.1	Jun 23 17:01:18 logportalauth[41345]: LOGIN: 203, 9c:02:98:8c:ff:73, 192.168.2.34
06-23-2014	16:56:54	Local4.Info	192.168.1.1	Jun 23 16:57:01 logportalauth[41345]: LOGIN: 203, e8:92:a4:dd:4c:9e, 192.168.2.69
06-23-2014	16:54:37	Local4.Info	192.168.1.1	Jun 23 16:54:44 logportalauth[19187]: LOGIN: 203, 78:4b:87:ff:0b:49, 192.168.2.33
06-23-2014	11:22:20	Local4.Info	192.168.1.1	Jun 23 11:22:26 logportalauth[91810]: TIMEOUT: 104, 08:3e:ff:69:88:cc, 192.168.2.31
06-23-2014	10:48:10	Local4.Info	192.168.1.1	Jun 23 10:48:16 logportalauth[78476]: TIMEOUT: 203, 78:4b:ff:76:0b:49, 192.168.2.33
06-23-2014	10:37:07	Local4.Info	192.168.1.1	Jun 23 10:37:13 logportalauth[95097]: TIMEOUT: 203, e8:ff:a4:dd:4c:9e, 192.168.2.69
06-23-2014	09:41:27	Local4.Info	192.168.1.1	Jun 23 09:41:33 logportalauth[41345]: LOGIN: 203, 78:4b:87:76:0b:49, 192.168.2.33
06-23-2014	09:02:05	Local4.Info	192.168.1.1	Jun 23 09:02:11 logportalauth[41345]: LOGIN: 104, 08:3e:ff:69:88:cc, 192.168.2.31
06-23-2014	08:42:36	Local4.Info	192.168.1.1	Jun 23 08:42:42 logportalauth[53383]: TIMEOUT: 214, 78:ff:b6:fa:8e:2e, 192.168.2.39
06-23-2014	07:37:02	Local4.Info	192.168.1.1	Jun 23 07:37:08 logportalauth[19187]: LOGIN: 214, 78:e8:ff:fa:8e:2e, 192.168.2.39
06-23-2014	06:59:36	Local4.Info	192.168.1.1	Jun 23 06:59:42 logportalauth[19187]: LOGIN: 203, e8:92:a4:ff:4c:9e, 192.168.2.69
06-23-2014	03:29:10	Local4.Info	192.168.1.1	Jun 23 03:29:16 logportalauth[9299]: TIMEOUT: 203, e8:92:a4:dd:4c:9e, 192.168.2.69
06-23-2014	02:59:01	Local4.Info	192.168.1.1	Jun 23 02:59:07 logportalauth[96770]: TIMEOUT: 206, 94:ff:c9:01:10:81, 192.168.2.38
06-23-2014	01:38:01	Local4.Info	192.168.1.1	Jun 23 01:38:07 logportalauth[19187]: LOGIN: 206, 94:db:c9:ff:10:81, 192.168.2.38
06-23-2014	01:13:33	Local4.Info	192.168.1.1	Jun 23 01:13:38 logportalauth[4990]: TIMEOUT: 206, 94:db:c9:01:ff:81, 192.168.2.38
06-22-2014	23:42:43	Local4.Info	192.168.1.1	Jun 22 23:42:49 logportalauth[41345]: LOGIN: 206, 94:db:ff:01:10:81, 192.168.2.38

        103, 203, 104, 214 etc are my 'User names' I declared in the pfSense Local User Manager.

        No "help me" PM's please. Use the forum, thanks.

        1 Reply Last reply Reply Quote 0
        • J
          Josef
          last edited by

          Oh right.
          Must be something else wrong in my config.
          Or my syslog server is not parsing the message correctly.

          Thanks very much for clearing that up.
          That's excellent!

          1 Reply Last reply Reply Quote 0
          • J
            Josef
            last edited by

            This is only the syslog messages for the captive portal.
            I would like that each firewall event, showing the src/dst IP's for each connection to be populated with the username.
            Not just captive portal user logins.

            Is it possible to do that?

            1 Reply Last reply Reply Quote 0
            • GertjanG
              Gertjan
              last edited by

              I guess so.
              Add a pass-firewall rule that only triggers with the first SYN packet between IP-client and IP-destination (no need to handle the rest).
              You should latter on add the relationship between IP and login in USER, this is impossible to 'lookup' at execution time of the firewall - and IP-destination and its reverse.

              But: this is pure theory. I leave it up to our government to track what users visit ;)

              With already a couple of portal clients connected your pfSense box will bog down quickly. The syslog will probably not follow neither.

              If you need to track users this way, you need some (very !) serious hardware - maybe some (pfsense) packages will fit your need.

              No "help me" PM's please. Use the forum, thanks.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post