Pass username in syslog message
-
Hello,
I am sending firewall logs to a syslog server. So I have 'Firewall Events' ticked in the remote logging options.
So it sends a syslog message to my syslog server upon each connection with all the relevant IP information.I have a captive portal configuration.
What I would like, is the username of the authenticated user to be passed in the syslog message so that I have a per user audit trail for each connection.
This is a public service and I need to keep a record of this for lawful reasons.Does anyone know how I could go about this?
Am I asking a bit much here?Thanks all.
-
I have a captive portal configuration.
What I would like, is the username of the authenticated user to be passed in the syslog message so that I have a per user audit trail for each connection.
This is a public service and I need to keep a record of this for lawful reasons.This is how it works by default.
Look at my Portal syslog:
06-23-2014 17:08:41 Local4.Info 192.168.1.1 Jun 23 17:08:47 logportalauth[41345]: LOGIN: 202, a0:0b:ba:e4:ff:c1, 192.168.2.40 06-23-2014 17:01:11 Local4.Info 192.168.1.1 Jun 23 17:01:18 logportalauth[41345]: LOGIN: 203, 9c:02:98:8c:ff:73, 192.168.2.34 06-23-2014 16:56:54 Local4.Info 192.168.1.1 Jun 23 16:57:01 logportalauth[41345]: LOGIN: 203, e8:92:a4:dd:4c:9e, 192.168.2.69 06-23-2014 16:54:37 Local4.Info 192.168.1.1 Jun 23 16:54:44 logportalauth[19187]: LOGIN: 203, 78:4b:87:ff:0b:49, 192.168.2.33 06-23-2014 11:22:20 Local4.Info 192.168.1.1 Jun 23 11:22:26 logportalauth[91810]: TIMEOUT: 104, 08:3e:ff:69:88:cc, 192.168.2.31 06-23-2014 10:48:10 Local4.Info 192.168.1.1 Jun 23 10:48:16 logportalauth[78476]: TIMEOUT: 203, 78:4b:ff:76:0b:49, 192.168.2.33 06-23-2014 10:37:07 Local4.Info 192.168.1.1 Jun 23 10:37:13 logportalauth[95097]: TIMEOUT: 203, e8:ff:a4:dd:4c:9e, 192.168.2.69 06-23-2014 09:41:27 Local4.Info 192.168.1.1 Jun 23 09:41:33 logportalauth[41345]: LOGIN: 203, 78:4b:87:76:0b:49, 192.168.2.33 06-23-2014 09:02:05 Local4.Info 192.168.1.1 Jun 23 09:02:11 logportalauth[41345]: LOGIN: 104, 08:3e:ff:69:88:cc, 192.168.2.31 06-23-2014 08:42:36 Local4.Info 192.168.1.1 Jun 23 08:42:42 logportalauth[53383]: TIMEOUT: 214, 78:ff:b6:fa:8e:2e, 192.168.2.39 06-23-2014 07:37:02 Local4.Info 192.168.1.1 Jun 23 07:37:08 logportalauth[19187]: LOGIN: 214, 78:e8:ff:fa:8e:2e, 192.168.2.39 06-23-2014 06:59:36 Local4.Info 192.168.1.1 Jun 23 06:59:42 logportalauth[19187]: LOGIN: 203, e8:92:a4:ff:4c:9e, 192.168.2.69 06-23-2014 03:29:10 Local4.Info 192.168.1.1 Jun 23 03:29:16 logportalauth[9299]: TIMEOUT: 203, e8:92:a4:dd:4c:9e, 192.168.2.69 06-23-2014 02:59:01 Local4.Info 192.168.1.1 Jun 23 02:59:07 logportalauth[96770]: TIMEOUT: 206, 94:ff:c9:01:10:81, 192.168.2.38 06-23-2014 01:38:01 Local4.Info 192.168.1.1 Jun 23 01:38:07 logportalauth[19187]: LOGIN: 206, 94:db:c9:ff:10:81, 192.168.2.38 06-23-2014 01:13:33 Local4.Info 192.168.1.1 Jun 23 01:13:38 logportalauth[4990]: TIMEOUT: 206, 94:db:c9:01:ff:81, 192.168.2.38 06-22-2014 23:42:43 Local4.Info 192.168.1.1 Jun 22 23:42:49 logportalauth[41345]: LOGIN: 206, 94:db:ff:01:10:81, 192.168.2.38
103, 203, 104, 214 etc are my 'User names' I declared in the pfSense Local User Manager.
-
Oh right.
Must be something else wrong in my config.
Or my syslog server is not parsing the message correctly.Thanks very much for clearing that up.
That's excellent! -
This is only the syslog messages for the captive portal.
I would like that each firewall event, showing the src/dst IP's for each connection to be populated with the username.
Not just captive portal user logins.Is it possible to do that?
-
I guess so.
Add a pass-firewall rule that only triggers with the first SYN packet between IP-client and IP-destination (no need to handle the rest).
You should latter on add the relationship between IP and login in USER, this is impossible to 'lookup' at execution time of the firewall - and IP-destination and its reverse.But: this is pure theory. I leave it up to our government to track what users visit ;)
With already a couple of portal clients connected your pfSense box will bog down quickly. The syslog will probably not follow neither.
If you need to track users this way, you need some (very !) serious hardware - maybe some (pfsense) packages will fit your need.