Syslog is a standard for computer data logging. It separates the software that generates messages from the system that stores them and the software that reports and analyzes them. It was developed in the 1980s by Eric Allman as part of the Sendmail project, and proved so valuable that other applications began using it as well. Since then, Syslog has become the standard logging solution on Unix and Unix-like systems, and there have been a variety of syslog implementations on other operating systems.
Syslog initially functioned as a de facto standard, without any authoritative published specification, and many implementations existed; some of them were incompatible with each other. Eventually the Internet Engineering Task Force documented the standard in RFC 3164. It was made obsolete by subsequent additions in RFC 5424.
Centralized logging to a specific logging host can reduce some of the administrative burden of log file administration. Log file aggregation, merging and rotation acan be configured in one location using syslog. In syslog, messages are labeled with a facility code indicating what type of program is logging the message. The codes are as follows:
|Facility Number||Keyword||Facility Description|
|5||syslog||messages generated internally by syslog|
|6||lpr||line printer subsystem|
|7||news||network news subsystem|
|12||-||network news subsystem|
|16||local0||local use 0 (local0)|
|17||local1||local use 1 (local1)|
|18||local2||local use 2 (local2)|
|19||local3||local use 3 (local3)|
|20||local4||local use 4 (local4)|
|21||local5||local use 5 (local5)|
|22||local6||local use 6 (local6)|
|23||local7||local use 7 (local7)|
For cron either 9 or 15 may be used. With auth/authpriv, 4 and 10 are commonly used but 13 and 14 can be used too.
Finally, here are the eight security levels:
|0||Emergency||emerg (panic)||System is unstable|
|1||Alert||alert||Action must be taken immediately|
|3||Error||err (error)||Error conditions|
|4||Warning||warning (warn)||Warning conditions|
|5||Notice||notice||Normal but significant condition|
A mnemonic used to remember these levels is: “Do I Notice When Evenings Come Around Early”.
Configuring Syslong in pfSense
To configure syslog, first navigate to Status -> System Logs. From there, click the “Settings” tab. Check the “Enable syslog’ing to remote syslog server” check box to send syslog messages to a remote server. At “Remote syslog servers“, enter the IP addresses of up to three remote syslog servers. Below that, there are nine check boxes. Eight check boxes are for logging different events (system, firewall, DHCP service, portal authorization, VPN, gateway monitor, server load balancer, and wireless); the ninth check box is labeled “Everything” and will cause syslog to record all messages. Check whichever items you wish to monitor, or check “Everything” to monitor record everything. Then press the “Save” button to save the changes.
Now that we have enabled remote syslog logging, we have removed a considerable burden from the resources of the pfSense machine, which should have a positive effect. This will especially be the case if the machine is light on memory and hard disk space (or for that matter, if we are running it from the live CD and the log entries are being made to a floppy disk).
There are several other settings worth noting, which are applicable to a scenario where remote logging is not enabled. At the top of the Settings page, checking “Show log entries in reverse order” will cause the newest entries to appear on top. Checking “Log packets blocked by the default rule” (checked by default) will cause syslog to log packets blocked by the implicit default block rule. Checking “Show raw filter logs” will result in filter logs being show as generated by the packet filter, without any formatting. This will reveal more detailed information. Finally, checking “Disable writing log files to the local RAM disk” will cause syslog to stop writing logs to the RAM disk, thereby freeing up memory.
Custom pfSense Firewall Log Analyzer – step-by-step instructions on how to set up a custom pfSense log analyzer using shell scripts and Python code
pfSense Remote Logging to Kiwi Syslog Server – shows how to send pfSense logs to a Kiwi server running under Windows