Remote Logging with encryption?



  • Hi there.

    I'm in the midst of setting up an ELK stack which are to gather logs from, amongst others, pfSense firewalls. We all know about the remote syslog option but what are the way to securely send logs to a remote logging server? It's my understanding that syslogd is not encrypted? There's syslog-ng but to me the documentation on this is really lacking, and being a bit of a noob, I don't really know what is the best option here…

    Any ideas?


  • LAYER 8 Global Moderator

    snmpv3 with priv is encrypted..



  • @johnpoz:

    snmpv3 with priv is encrypted..

    Isn't SNMP for a different purpose? The point here is to store logs for months from pfSense.


  • LAYER 8 Global Moderator

    My bad you are right, not sure what I was thinking.. syslog-ng can send encrypted syslog via tcp.. Must of read logging as monitor.. Doh!!!



  • @johnpoz:

    My bad you are right, not sure what I was thinking.. syslog-ng can send encrypted syslog via tcp.. Must of read logging as monitor.. Doh!!!

    Don't worry, mate.

    and yeah, syslog-ng can do that. I'm just not quite sure on how to set it up



  • In normal you set up the pfSense and then behind the pfSense firewall you set up a syslog server that
    is collecting from all switches, WiFi APs and other devices including your pfSense firewall the syslog files.
    A common way is then to create a VLAN with the Syslog server inside and nothing else as a member and
    only able to connect from the admin console (your PC or Laptop or Mac) or the admin PC. And then the
    syslogs will be stored there encrypted that no one is able to short them or delete lines that are revealing
    his illegal presence perhaps as an example. So you can be sure if you see something inside of that files
    it is real and existing. If more then one device will be sending such log files to a logfile server you should
    know that they should be on the same time, so a internally NTP server that is giving all your switches routers
    and firewall the exactly same time is really useful. Otherwise and if something occurs you must doing a lot of
    math to be able to read and understand them. And at last it would be nice to set up a small firewall as a syslog
    server so the first safety line is the separate VLAN (sniffing) and the second one is then then firewall with rules
    and perhaps snort inside! Easy to deploy and use! A good job for older pfSense hardware to spend them a really
    second life for many years. And a descend HDD/SSD is cheap to get. But sending encrypted logfiles is not so
    common and with what it should be decrypted when the firewall is or was compromised or failing?


Log in to reply