Syslog Configuration in pfSense

Introducing Syslog

Syslog is a standard for computer data logging. It separates the software that generates messages from the system that stores them and the software that reports and analyzes them. It was developed in the 1980s by Eric Allman as part of the Sendmail project, and proved so valuable that other applications began using it as well. Since then, Syslog has become the standard logging solution on Unix and Unix-like systems, and there have been a variety of syslog implementations on other operating systems.

Syslog initially functioned as a de facto standard, without any authoritative published specification, and many implementations existed; some of them were incompatible with each other. Eventually the Internet Engineering Task Force documented the standard in RFC 3164. It was made obsolete by subsequent additions in RFC 5424.


Centralized logging to a specific logging host can reduce some of the administrative burden of log file administration. Log file aggregation, merging and rotation acan be configured in one location using syslog. In syslog, messages are labeled with a facility code indicating what type of program is logging the message. The codes are as follows:

Facility Levels
Facility Number Keyword Facility Description
0 kem kernel messages
1 user user-level messages
2 mail mail system
3 daemon system daemons
4 auth security/authorization messages
5 syslog messages generated internally by syslog
6 lpr line printer subsystem
7 news network news subsystem
8 uucp UUCP subsystem
9 - clock daemon
10 authpriv security/authorization messages
11 ftp FTP daemon
12 - network news subsystem
13 - log audit
14 - log alert
15 cron clock daemon
16 local0 local use 0 (local0)
17 local1 local use 1 (local1)
18 local2 local use 2 (local2)
19 local3 local use 3 (local3)
20 local4 local use 4 (local4)
21 local5 local use 5 (local5)
22 local6 local use 6 (local6)
23 local7 local use 7 (local7)

For cron either 9 or 15 may be used. With auth/authpriv, 4 and 10 are commonly used but 13 and 14 can be used too.


Finally, here are the eight security levels:

Severity Levels
Code Severity Keyword Description
0 Emergency emerg (panic) System is unstable
1 Alert alert Action must be taken immediately
2 Critical crit Critical conditions
3 Error err (error) Error conditions
4 Warning warning (warn) Warning conditions
5 Notice notice Normal but significant condition
6 Informational info Informational messages
7 Debug debug Debug-level messages

A mnemonic used to remember these levels is: “Do I Notice When Evenings Come Around Early”.

Configuring Syslong in pfSense

Syslog

Configuring Syslog for remote logging under pfSense 2.0.

To configure syslog, first navigate to Status -> System Logs. From there, click the “Settings” tab. Check the “Enable syslog’ing to remote syslog server” check box to send syslog messages to a remote server. At “Remote syslog servers“, enter the IP addresses of up to three remote syslog servers. Below that, there are nine check boxes. Eight check boxes are for logging different events (system, firewall, DHCP service, portal authorization, VPN, gateway monitor, server load balancer, and wireless); the ninth check box is labeled “Everything” and will cause syslog to record all messages. Check whichever items you wish to monitor, or check “Everything” to monitor record everything. Then press the “Save” button to save the changes.

Now that we have enabled remote syslog logging, we have removed a considerable burden from the resources of the pfSense machine, which should have a positive effect. This will especially be the case if the machine is light on memory and hard disk space (or for that matter, if we are running it from the live CD and the log entries are being made to a floppy disk).

There are several other settings worth noting, which are applicable to a scenario where remote logging is not enabled. At the top of the Settings page, checking “Show log entries in reverse order” will cause the newest entries to appear on top. Checking “Log packets blocked by the default rule” (checked by default) will cause syslog to log packets blocked by the implicit default block rule. Checking “Show raw filter logs” will result in filter logs being show as generated by the packet filter, without any formatting. This will reveal more detailed information. Finally, checking “Disable writing log files to the local RAM disk” will cause syslog to stop writing logs to the RAM disk, thereby freeing up memory.

External Links:

Syslog on Wikipedia

Copying Logs to a Remote Host with Syslog at doc.pfsense.org

Custom pfSense Firewall Log Analyzer – step-by-step instructions on how to set up a custom pfSense log analyzer using shell scripts and Python code

pfSense Remote Logging to Kiwi Syslog Server – shows how to send pfSense logs to a Kiwi server running under Windows

© 2013 David Zientara. All rights reserved. Privacy Policy