Syslog-ng configuration

anass · Jul 15, 2014, 3:15 PM

Hello,

i'm a newbe to pfSense, i installed syslog-ng pacage to store logs since the default syslog serveur dosn't save more thane 500ko per file. any way, whine i try to start the package i got an error , i tryed evrething but nothing gonna to work.

the error message in the attahments

please if any body can help me, i really need this to works.

thank you any way

dgcom · Jul 15, 2014, 4:47 AM

Edit file /usr/local/pkg/syslog-ng.inc - find

$conf .= "@version:3.3\n";

And replace it with

$conf .= "@version:3.5\n";

Save file, then go, and enable syslog-ng in its general settings - it will now successfully verify syntax and will generate /usr/local/etc/rc.d/syslog-ng.sh which is used to start service.

If package is update, service will continue to autostart successfully. It may refuse to save settings if you change something - in this case, go and repeat fix again…

This problem is in the package for some time already and it is sad that no one test this before releasing updates.
I might try and submit bug, but last time I tried, I could not for some reason...

anass · Jul 15, 2014, 1:13 PM

thank you dgcom for your response.
now it's starts normally, but it does not log anything.
i wonder if there is a howto for syslog-ng configuration, for things like filters(to separate firewall logs from openvpn logs…).
:)

dgcom · Jul 15, 2014, 2:20 PM

The documentation on syslog-ng contains all information how to configure destinations, sources and filters The syslog-ng Open Source Edition 3.5 Administrator Guide

As far as logging goes - what do you expect it to log? You have to configure clients to send syslog messages to it. It is not set to default port 514, because local syslog uses it…
I know, people use syslog-ng as an extension to default pfSense logging - to keep logs for longer, than circular log allows.

anass · Jul 15, 2014, 2:45 PM

i want to use syslog-ng as an extension to default pfSense logging, i want log evreything logged by pfsense (firewall, system, dhcp…)
i tryed to use the documontation and some posts, i can save the sittings but no file generited for the logs (dhcpd.log , filter.log ...)

# This file is automatically generated by pfSense
# Do not edit manually !
@version:3.5
destination _DEFAULT { file("/var/syslog-ng/default.log"); };
destination dhcp { file("/var/syslog-ng/dhcpd.log"); };
destination firewall { file("/var/syslog-ng/filter.log"); };
destination message { file("/var/syslog-ng/messages.log"); };
destination ntpd { file("/var/syslog-ng/ntpd.log" ); };
filter f_alert { level (alert .. emerg); };
filter f_crit { level (crit .. emerg); };
filter f_emerg { level (emerg); };
filter f_err { level (err .. emerg); };
filter f_firewall { facility (local0); };
filter f_firewall-drop { facility (local0) and match(regexp value("drop")); };
filter f_firewall-pass { facility (local0) and match(regexp value("pass")); };
filter f_local7 { facility (local7); };
filter f_notice { level (notice .. emerg); };
filter f_warning { level (warning .. emerg); };
filter ntp {program (ntpd); };
log { source(_DEFAULT); destination(_DEFAULT); };
log { source(_DEFAULT); filter(f_local7); destination(dhcp); };
log { source(_DEFAULT); filter(f_firewall); destination(firewall); };
log { source(_DEFAULT); filter(f_firewall-drop); destination(firewall); };
log { source(_DEFAULT); filter(f_firewall-pass); destination(firewall); };
log { source(_DEFAULT); filter(ntp); destination(ntpd); };
source _DEFAULT { internal(); syslog(transport(udp) port(5140) ip(192.168.1.226) ip(127.0.0.1)); };

dgcom · Jul 15, 2014, 2:55 PM

Did you configure pfSense to send logs to syslog-ng?
On Status: System logs: Settings page, enable remote logging - set it to log to your syslog-ng instance. Make sure that IP address corresponds to the interface selected in syslog-ng settings (I would use loopback if I there is no need to receive logs from external servers) and specify port for syslog-ng as well.

I do not know how good it would work for this - I do not use it like that.

anass · Jul 15, 2014, 3:04 PM

i use loopback address for remote syslog server and its work now thank you for helping me

i have one last question : now i can see logs in Syslog-ng Log Viewer , is there a way to reverse the view (newest first)

dgcom · Jul 15, 2014, 3:08 PM

That I do not know - I think it just shows files, written by syslog-ng and they are appended at the end.

anass · Jul 15, 2014, 3:14 PM

thank you for your help ;D