[HOWTO] pfSense logs to remote syslog server respecting RFC5424

  • Hello there.
    as stated in some post in this forum (for example: https://forum.pfsense.org/index.php?topic=12143.msg66217;topicseen#msg66217 ) the syslogD is not respecting the RFC5424 standard.
    So exporting the pfsense syslog directly to another server could be messy (normally you will filter the log by sourceIP but behind a loadbalancer this could be a problem).

    The quick and dirty solution:

    1. Install syslog-ng from packages
    2. configure syslog-ng to be listening on the DMZ/LAN interface on the port you like most (5140 by default is fine for me).
    3. Set the Remote syslog server #1 (from "Status: System logs: Settings") to point to the DMZ/LAN address (for me is
    4. Go to back to Services: Syslog-ng Advanced and add a new item as in the attachment.

      Obviously susbstitute the "my-remote-syslog-server" and port with what you actually need
      ![Schermata 2015-08-14 alle 11.59.49.png](/public/imported_attachments/1/Schermata 2015-08-14 alle 11.59.49.png)
      ![Schermata 2015-08-14 alle 11.59.49.png_thumb](/public/imported_attachments/1/Schermata 2015-08-14 alle 11.59.49.png_thumb)

  • rsyslog is a better bet, besides having all eggs in one basket is risky especially if your fw gets pwnd, so somethings like syslogs are best set to an individual syslog server.

  • Hello !

    Can you re-upload the setting? It is desirable in text form, as attachments no longer download


  • @andrsharov
    I found that simply installing the syslog-ng package 1.15_3 on pfsense 2.4.4 changed the message format. I did not configure anything in syslog-ng, I did not even enable syslog-ng.
    Before installation of syslog-ng my input in Graylog did not recognize any messages from pfsense. After the installation they get recognized.

  • Netgate Administrator

    That option is in 2.5 already:

Log in to reply