Sending rule description field and rule changes audit via syslog in pf 2.2
-
Hi,
I've upgraded to 2.2 and noticed the audit log changes described here:
https://doc.pfsense.org/index.php/Filter_Log_Format_for_pfSense_2.2I have two questions:
1. Is it possible to edit the format in such way - it will send the rule description as well (besides the rule id) via syslog?
2. Is it possible to receive audit for rule/object modifications for example: "rule 10 was changed by user x", "ip added to ailas" etc..Thanks!
-
Currently, the answer to both is no.
-
4 year later, still true with pfsense 2.4.4.
I need the rule description in the syslog output, too!
If somebody could point me in the right direction, maybe I can modify a script or config file?
Thank all.
-
301,,,1535801592,pppoe0,match,block,in,4,0x0,,243,61189,0,DF,6,tcp,40,185.53.88.19,x.x.x.x,239,8081,0,S,2859,,512,,
It does include the tracking ID if thats any help.
-
Yes, absolutely. Thank you for pointing that out.
From the reference:
https://www.netgate.com/docs/pfsense/monitoring/filter-log-format-for-pfsense-2-2.htmlIn a remote log, the fifth field is:
<tracker> ::= <integer> -- Unique ID per rule, tracker ID is stored with the rule in config.xml for user added rules, or check /tmp/rules.debugI need to figure out how to use that number from my syslog server, to lookup the rule description. So far, I'm closer, now using splunk to run a script:
| script pfsenselookup 1000000105
where pfsenselookup.py is
import sys import os matchstring=str(' '.join(sys.argv[1:])) os.system("ssh user@192.168.1.1 pfctl -vvsr | grep '^@' | grep '{matchstring}'".format(matchstring=matchstring))
For example, results :
@11(1000000105) block drop in log inet6 all label "Default deny rule IPv6"