Personal tools

Copying Logs to a Remote Host with Syslog

From PFSenseDocs

Jump to: navigation, search
This article is part of the HOWTO series.

If you want to retain your logs for any significant period of time, you'll need to enable remote syslog, and have a syslog server configured to accept messages from your pfSense system.

There are several different syslog servers out there. Most BSD/Linux systems will have one built in, and there are some free utilities available for Windows to accept syslog messages from remote hosts.

Contents

Setup Syslog on the Logging Host

First, you'll need to configure your syslog server to accept remote connections, which means running it with the -a <subnet> flag.

FreeBSD

This is easy to do on FreeBSD, edit /etc/rc.conf and add this line: 

syslogd_flags=" -a 192.168.1.1 "

Where 192.168.1.1 is the IP of your pfSense system.

You may also do some more complex allow rules for syslog like so: 

syslogd_flags=" -a 10.0.10.0/24:*"

So syslog will accept from any IP address in the 10.0.10.0 subnet (mask 255.255.255.0) and the messages may come from any UDP port.

Now, edit /etc/syslog.conf and add something like this at the bottom: 

!*
+*

+pfSense
*.*				/var/log/pfsense.log

Where pfSense is the hostname of your pfSense router. You may also need to add an entry to /etc/hosts for that system, depending on your setup. You may separate things out further into separate files. Use the /etc/syslog.conf file on your pfSense box for more details on which logging facilities are used for specific items.

You may also need to create that file and make sure it has the proper permissions like so: 

touch /var/log/pfsense.log
chmod 640 /var/log/pfsense.log

Now restart syslog like so: 

/etc/rc.d/syslogd restart

Linux

Depends on your distribution. Consult your distribution's documentation on how to change the behavior of syslogd. It shouldn't be too dissimilar to the alterations in the FreeBSD section.

Windows

Setting this up on Windows entirely depends on which syslog server you are using. Consult the documentation for more information on configuration. There is a list of syslog software for Windows available on Wikipedia

Setup pfSense for Remote Logging

  • Click Status > System Logs
  • Click the Settings tab
  • Check Enable syslog'ing to remote syslog server
  • Type the IP of your logging server in the box next to Remote syslog server
  • Check the boxes for the log entries you would like to forward
  • Click Save

You should start to see log messages flowing to the target system.

Retrieved from "http://doc.pfsense.org/index.php/Copying_Logs_to_a_Remote_Host_with_Syslog"