Syslog'ing to remote syslog server

  • I am trying to get pfsense configured in order to replace our sonicwall here at work. pfselse looks like it will do quite a few more things for us, such as dual-wan and failover. I have these set up and they appear to be working just fine.

    However, I am trying to learn how to set up pfsense to send all of the syslogs to a remote machine in order to run WallWatcher on it. I have this working fine with our sonicwall, but I have not figured this part out on pfsense yet. I have several packages loaded, including the ntop which I can see this type of info with.

    I have checked 'Enable syslog'ing to remote syslog server' under the Diagnostics –-> System logs ---> Settings tab, but it is only sending the system info to the remote machine capturing the log info.

    I am trying to get full logs of the bandwidth and basic http DNS and domain names of http traffic. I am running 1.2 final.

    Basically I need to know how to enable the complete logs be sent via the syslog port 514 method. Anyone have this set up and working?

  • You probably want SNMP enabled (under services).

  • Well I just tried putting the IP of the comp to send logs to and used the default port and port 514 in both the SNMP daemon and SNMP trap and I didn't see any changes to what was being sent to syslog….

    I also do not see any useful info on the few posts in the SNMP subforum. Any other suggestions? :)

  • You're trying to do what? With Wallwatcher, you can simply check the box to enable the snmp daemon under services, then in Wallwatcher: option, bandwidth should test OK on snmp. Check the box to collect data and go to file, analyze bandwidth. Leave the snmp port at default- it's not syslog. The logs are being sent via syslog and the bandwidth info is sent via snmp. The newer Wallwatcher worked for me when I played with it, but I still like monomon ( better for traffic graphs.

  • (This is a late reply, but I wanted to post for clarity for anyone reading this from any archives.)

    One issue may be that you might be mixing pieces of these two separate protocols.  Specifically, you said you pointed some SNMP services at port 514.  Port 514 is used by SYSLOG, not SNMP.  SNMP uses UDP 161 and UDP 162.  Your receiver should be set accordingly (or, better yet, left at the defaults for on what ports it listens).

  • Syslog uses UDP 514. I've tried it on pfSense 1.2.1 and it has worked fine for me. I thought it was funner to write a basic Syslog server in PHP and make it run as a windows service rather than learning a pre-made syslog server.

    I kind of wonder if some of the SysLog servers have a hard time with the messages? Since they don't follow the spec as mentioned here.,12143.0.html

Log in to reply