Remote Logging with Syslog

The Remote Logging options under Status > System Logs on the Settings tab allow syslog to copy log entries to a remote server.

The logs kept by pfSense on the firewall itself are of a finite size and they are cleared on reboot on NanoBSD. Copying these entries to a syslog server can aid troubleshooting and enable long-term monitoring. Having a remote copy can also help diagnose events that occur before a firewall restarts or after they would have otherwise been lost due to clearing of the logs or when older entries are cycled out of the log, and in cases when local storage has failed but the network remains active.

Warning

Corporate or local legislative policies may dictate the length of time logs must be retained from firewalls and similar devices. If an organization requires long-term log retention for their own or government purposes, a remote syslog server is required to receive and retain these logs.

To start logging remotely:

  • Navigate to Status > System Logs on the Settings tab
  • Check Send log messages to remote syslog server
  • Configure the options as follows:
Source Address:

Controls where the syslog daemon binds for sending out messages. In most cases, the default (Any) is the best option, so the firewall will use the address nearest the target. If the destination server is across an IPsec VPN, however, choosing an interface or Virtual IP address inside the local Phase 2 network will allow the log messages to flow properly over a tunnel.

IP Protocol:

When choosing an interface for the Source Address, this option gives the syslog daemon a preference for either using IPv4 or IPv6, depending on which is available. If there is no matching address for the selected type, the other type is used instead.

Remote Log Servers:
 

Enter up to three remote servers using the boxes contained in this section. Each remote server can use either an IP address or hostname, and an optional port number. If the port is not specified, the default syslogd port, 514, is assumed.

A syslog server is typically a server that is directly reachable from the pfSense firewall on a local interface. Logging can also be sent to a server across a VPN.

Warning

Do not send log data directly across any WAN connection or unencrypted site-to-site link, as it is plain text and could contain sensitive information.

Remote Syslog Contents:
 

The options in this section control which log messages will be sent to the remote log server.

Everything:When set, all log messages from all areas are sent to the server.
System Events:Main system log messages that do not fall into other categories.
Firewall Events:
 Firewall log messages in raw format. The format of the raw log is covered on the documentation wiki article on the Filter Log Format
DNS Events:Messages from the DNS Resolver (unbound), DNS Forwarder (dnsmasq), and from the filterdns daemon which periodically resolves hostnames in aliases.
DHCP Events:Messages from the IPv4 and IPv6 DHCP daemons, relay agents, and clients.
PPP Events:Messages from PPP WAN clients (PPPoE, L2TP, PPTP)
Captive Portal Events:
 Messages from the Captive Portal system, typically authentication messages and errors.
VPN Events:Messages from VPN daemons such as IPsec and OpenVPN, as well as the L2TP server and PPPoE server.
Gateway Monitor Events:
 Messages from the gateway monitoring daemon, dpinger
Routing Daemon Events:
 Routing-related messages such as UPnP/NAT-PMP, IPv6 routing advertisements, and routing daemons from packages like OSPF, BGP, and RIP.
Server Load Balancer Events:
 Messages from relayd which handles server load balancing.
Network Time Protocol Events:
 Messages from the NTP daemon and client.
Wireless Events:
 Messages from the Wireless AP daemon, hostapd.
  • Click Save to store the changes.

If a syslog server is not already available, it is fairly easy to set one up. See Syslog Server on Windows with Kiwi Syslog for information on setting up Kiwi Syslog on Windows. Almost any UNIX or UNIX-like system can be used as a syslog server. FreeBSD is described in the following section, but others may be similar.

Configuring a Syslog Server on FreeBSD

Setting up a syslog server on a FreeBSD server requires only a couple steps. In this example, replace 192.168.1.1 with the IP address of the firewall, replace exco-rtr with the hostname of the firewall, and replace exco-rtr.example.com with the full hostname and domain of the firewall. This example uses 192.168.1.1 because the best practice is to send syslog messages using the internal address of a firewall, not a WAN interface.

Note

These changes must all be made on the syslog server, not on the firewall.

First, the firewall will likely need an entry in /etc/hosts containing the address and name of the firewall:

192.168.1.1            exco-rtr     exco-rtr.example.com

Then adjust the startup flags for syslogd to accept syslog messages from the firewall. Edit /etc/rc.conf and add this line if it does not exist, or add this option to the existing line for the setting:

syslogd_flags=" -a 192.168.1.1"

Lastly, add lines to /etc/syslog.conf to catch log entries from this host. Underneath any other existing entries, add the following lines:

!*
+*
+exco-rtr
*.*                                             /var/log/exco-rtr.log

Those lines will reset the program and host filters, then set a host filter for this firewall using the short name as entered in /etc/hosts.

Tip

Look at /etc/syslog.conf on the pfSense firewall for ideas about filtering the logs for various services into separate log files on the syslog server.

After these changes, syslogd must be restarted . On FreeBSD this is one simple command:

# service syslogd restart

Now look at the log file on the syslog server and if the configuration is correct, it will be populating the logs with entries as activity happens on the firewall.