Pass username in syslog message



  • Hello,

    I am sending firewall logs to a syslog server. So I have 'Firewall Events' ticked in the remote logging options.
    So it sends a syslog message to my syslog server upon each connection with all the relevant IP information.

    I have a captive portal configuration.
    What I would like, is the username of the authenticated user to be passed in the syslog message so that I have a per user audit trail for each connection.
    This is a public service and I need to keep a record of this for lawful reasons.

    Does anyone know how I could go about this?
    Am I asking a bit much here?

    Thanks all.



  • @Josef:

    I have a captive portal configuration.
    What I would like, is the username of the authenticated user to be passed in the syslog message so that I have a per user audit trail for each connection.
    This is a public service and I need to keep a record of this for lawful reasons.

    This is how it works by default.

    Look at my Portal syslog:

    06-23-2014	17:08:41	Local4.Info	192.168.1.1	Jun 23 17:08:47 logportalauth[41345]: LOGIN: 202, a0:0b:ba:e4:ff:c1, 192.168.2.40
    06-23-2014	17:01:11	Local4.Info	192.168.1.1	Jun 23 17:01:18 logportalauth[41345]: LOGIN: 203, 9c:02:98:8c:ff:73, 192.168.2.34
    06-23-2014	16:56:54	Local4.Info	192.168.1.1	Jun 23 16:57:01 logportalauth[41345]: LOGIN: 203, e8:92:a4:dd:4c:9e, 192.168.2.69
    06-23-2014	16:54:37	Local4.Info	192.168.1.1	Jun 23 16:54:44 logportalauth[19187]: LOGIN: 203, 78:4b:87:ff:0b:49, 192.168.2.33
    06-23-2014	11:22:20	Local4.Info	192.168.1.1	Jun 23 11:22:26 logportalauth[91810]: TIMEOUT: 104, 08:3e:ff:69:88:cc, 192.168.2.31
    06-23-2014	10:48:10	Local4.Info	192.168.1.1	Jun 23 10:48:16 logportalauth[78476]: TIMEOUT: 203, 78:4b:ff:76:0b:49, 192.168.2.33
    06-23-2014	10:37:07	Local4.Info	192.168.1.1	Jun 23 10:37:13 logportalauth[95097]: TIMEOUT: 203, e8:ff:a4:dd:4c:9e, 192.168.2.69
    06-23-2014	09:41:27	Local4.Info	192.168.1.1	Jun 23 09:41:33 logportalauth[41345]: LOGIN: 203, 78:4b:87:76:0b:49, 192.168.2.33
    06-23-2014	09:02:05	Local4.Info	192.168.1.1	Jun 23 09:02:11 logportalauth[41345]: LOGIN: 104, 08:3e:ff:69:88:cc, 192.168.2.31
    06-23-2014	08:42:36	Local4.Info	192.168.1.1	Jun 23 08:42:42 logportalauth[53383]: TIMEOUT: 214, 78:ff:b6:fa:8e:2e, 192.168.2.39
    06-23-2014	07:37:02	Local4.Info	192.168.1.1	Jun 23 07:37:08 logportalauth[19187]: LOGIN: 214, 78:e8:ff:fa:8e:2e, 192.168.2.39
    06-23-2014	06:59:36	Local4.Info	192.168.1.1	Jun 23 06:59:42 logportalauth[19187]: LOGIN: 203, e8:92:a4:ff:4c:9e, 192.168.2.69
    06-23-2014	03:29:10	Local4.Info	192.168.1.1	Jun 23 03:29:16 logportalauth[9299]: TIMEOUT: 203, e8:92:a4:dd:4c:9e, 192.168.2.69
    06-23-2014	02:59:01	Local4.Info	192.168.1.1	Jun 23 02:59:07 logportalauth[96770]: TIMEOUT: 206, 94:ff:c9:01:10:81, 192.168.2.38
    06-23-2014	01:38:01	Local4.Info	192.168.1.1	Jun 23 01:38:07 logportalauth[19187]: LOGIN: 206, 94:db:c9:ff:10:81, 192.168.2.38
    06-23-2014	01:13:33	Local4.Info	192.168.1.1	Jun 23 01:13:38 logportalauth[4990]: TIMEOUT: 206, 94:db:c9:01:ff:81, 192.168.2.38
    06-22-2014	23:42:43	Local4.Info	192.168.1.1	Jun 22 23:42:49 logportalauth[41345]: LOGIN: 206, 94:db:ff:01:10:81, 192.168.2.38
    

    103, 203, 104, 214 etc are my 'User names' I declared in the pfSense Local User Manager.



  • Oh right.
    Must be something else wrong in my config.
    Or my syslog server is not parsing the message correctly.

    Thanks very much for clearing that up.
    That's excellent!



  • This is only the syslog messages for the captive portal.
    I would like that each firewall event, showing the src/dst IP's for each connection to be populated with the username.
    Not just captive portal user logins.

    Is it possible to do that?



  • I guess so.
    Add a pass-firewall rule that only triggers with the first SYN packet between IP-client and IP-destination (no need to handle the rest).
    You should latter on add the relationship between IP and login in USER, this is impossible to 'lookup' at execution time of the firewall - and IP-destination and its reverse.

    But: this is pure theory. I leave it up to our government to track what users visit ;)

    With already a couple of portal clients connected your pfSense box will bog down quickly. The syslog will probably not follow neither.

    If you need to track users this way, you need some (very !) serious hardware - maybe some (pfsense) packages will fit your need.


Log in to reply