Remote syslog: Both master and backup logging simultaneously



  • Hi,

    I have set up remote syslog and that works fine. We have two pfSense firewalls running in CARP HA. But both of them are logging at the same time, which means that e.g. broadcast traffic hitting both of the firewalls will generate two log entries on the syslog server. Is it possible to limit logging to only the master pfsense?

    Lars


  • Rebel Alliance Developer Netgate

    No, and you really don't want to. So long as you give them each a unique hostname (which you should be doing anyhow), you can filter the logs entries to separate files on the syslog server.



  • What Jim said. And you should put in block rules to block and not log noise like broadcasts so you're not putting a bunch of useless data into your logs.



  • @jimp:

    No, and you really don't want to. So long as you give them each a unique hostname (which you should be doing anyhow), you can filter the logs entries to separate files on the syslog server.

    Thanks - I already did the filtering. I'll just put some non-logging block rules up for broadcast and multicast traffic to limit the noise.

    By the way, for users googling this thread: To separate logging on rsyslog (in case you're on linux), do this:

    
    :FROMHOST-IP, isequal, "192.168.10.3" /var/log/pfsense/pfsense-01.log
    & ~
    
    :FROMHOST-IP, isequal, "192.168.10.4" /var/log/pfsense/pfsense-02.log
    & ~
    
    

    Lars