Logs to remote syslog server not working

reilos · Feb 17, 2016, 12:31 PM

Hi there,

I'm trying to get pfSense to log to my syslog server. Other devices (a NAS and a switch) in the same subnet have no problems with logging to the syslog server, it's only the pfSense box. I've set the options:

Source Address: LAN (also tried default/any)
IP Protocol: IPv4
Enable Remote Logging: CHECKED (duh…)
Remote Syslog Servers: 192.168.1.104
Remote Syslog Contents: Everything

Any ideas?

dvancleef · Feb 18, 2016, 3:28 AM

On some platforms, by default syslogd only accepts packets from source port 514, have you investigated that?

cmb · Feb 18, 2016, 4:03 AM

Nothing more than that to it. Assuming it's a live IP, it'll send there. Filter Diag>States for :514 and you can see if it's getting passed out. Packet capture on LAN filtered on port 514 to see it going to the server. Likely it's going to the server and the server's not doing with it what you're expecting.

reilos · Feb 19, 2016, 2:12 PM

State:

LAN	udp	172.30.35.1:514 -> 172.30.35.104:514	SINGLE:NO_TRAFFIC

I'm no expert, so i had to look this one up from here:

udp.single = The state if the source host sends more than one packet but the destination host has never sent one back.

If if understand correctly, the source host (my pfSense box) is actually sending out the syslog messages via the right port to the right client host (my syslog server) on the correct port, but the client never sent any packet back.

Should there be packets sent back?

jimp · Mar 2, 2016, 8:00 PM

Not with syslog over UDP, it won't send anything back, so that's normal. The state shows the packets leaving, so perhaps they never arrive at the server. Or, more likely, the target server is filtering or rejecting them in some way.

reilos · Mar 7, 2016, 1:04 PM

@jimp:

Not with syslog over UDP, it won't send anything back, so that's normal. The state shows the packets leaving, so perhaps they never arrive at the server. Or, more likely, the target server is filtering or rejecting them in some way.

Yeah, thats what i thought. I'm looking into other solutions, like ELK (Elasticsearch, Logstash, Kibana). Seems that setting up a syslog server with analytics is not as easy as i hoped.

kapara · Mar 8, 2016, 6:35 AM

Check out papertrail. It's hosted and free for most needs. Even has alerting built in. Depending on your environment.. I use one of my PC to transmit logs securely.

reilos · Mar 8, 2016, 11:44 AM

@kapara:

Check out papertrail. It's hosted and free for most needs. Even has alerting built in. Depending on your environment.. I use one of my PC to transmit logs securely.

Thanks, but I'm only lokking for an on-site solution, since having an off-site syslog server doesn't help me much when my gateway has issues and i can't access the logs ;) And the installation itself is not that hard, it's the configuration / tweaks to get things going for specific devices (like pfSense) that is not as straightforward as i hoped.

c1pher22 · Apr 9, 2023, 6:02 PM

I've just encountered this issue setting up my remote logging for the first time. Using Syslog-NG, I had to include 'create_dirs(yes)' in my syslog-ng.conf file.

Example:

destination d_remote {
file("/var/log/remote/$HOST/$YEAR/$MONTH/$DAY/syslog.log"
create_dirs(yes));
};

Cheers!