[HOWTO] pfSense logs to remote syslog server respecting RFC5424
as stated in some post in this forum (for example: https://forum.pfsense.org/index.php?topic=12143.msg66217;topicseen#msg66217 ) the syslogD is not respecting the RFC5424 standard.
So exporting the pfsense syslog directly to another server could be messy (normally you will filter the log by sourceIP but behind a loadbalancer this could be a problem).
The quick and dirty solution:
- Install syslog-ng from packages
- configure syslog-ng to be listening on the DMZ/LAN interface on the port you like most (5140 by default is fine for me).
- Set the Remote syslog server #1 (from "Status: System logs: Settings") to point to the DMZ/LAN address (for me is 192.168.0.1:5140)
- Go to back to Services: Syslog-ng Advanced and add a new item as in the attachment.
Obviously susbstitute the "my-remote-syslog-server" and port with what you actually need
![Schermata 2015-08-14 alle 11.59.49.png](/public/imported_attachments/1/Schermata 2015-08-14 alle 11.59.49.png)
![Schermata 2015-08-14 alle 11.59.49.png_thumb](/public/imported_attachments/1/Schermata 2015-08-14 alle 11.59.49.png_thumb)
rsyslog is a better bet, besides having all eggs in one basket is risky especially if your fw gets pwnd, so somethings like syslogs are best set to an individual syslog server.
Can you re-upload the setting? It is desirable in text form, as attachments no longer download
I found that simply installing the syslog-ng package 1.15_3 on pfsense 2.4.4 changed the message format. I did not configure anything in syslog-ng, I did not even enable syslog-ng.
Before installation of syslog-ng my input in Graylog did not recognize any messages from pfsense. After the installation they get recognized.
That option is in 2.5 already: