firewall.pfsense

The pfSense firewall logs are labeled with the firewall.pfsense.type tag.
  • pfSense is an open source firewall based on FreeBSD.
  • You can configure pfSense to report the logs to a remote syslog server.
  • From the management web interface you only can specify the remote server,but not the port, protocol, or label the log at the source.
  • Since pfsense only allows to send logs to syslog standard port (514/udp),you need to install an In-house Relay to integrate these logs and set a rule to listen to that port.
  • This rule should also cover the tagging of the events as firewall.pfsense.type and the sending to Devo.

Tag structure

  • The element type is fixed and identifies the tag and format of the event.
  • This element can have one of the following values (corresponding to the different log types):
    • firewall.pfsense.firewall
    • firewall.pfsense.system

For more information on how tags work, please check Introduction to tags article.

Configuration

The configuration steps are slightly different, depending on the pfSense version you are using: 

pfSense 2.2

This configuration applies for the pfSense 2.2 and all previous versions. There are two main steps to follow in this process:

  • In-house relay configuration
  • pfSense configuration

In-house Relay configuration

The first step is to install an In-house Relay for the correct tagging of the logs. You should define two rules, as described below.

  • First rule

With this rule, all events coming to port 514/udp with the pf tab are labeled as firewall.pfsense.firewall. You must consider the following fields when creating this rule:

  • Source Port → 514
  • SourceTag → pf
  • Target Tag → firewall.pfsense.firewall
  • Check the following box:
    • Stop Processing (The relay does not process more rules if the actual is met)

  • Second rule

This rule is to label the rest of the events as firewall.pfsense.system. You must consider the following fields when creating the rule:

  • Source Port → 514
  • Target Tag → firewall.pfsense.system
  • Check the following box:
    • isPrefix → true (It retains the original label where we have indicated the particular component of the system that generated the event)

Please note that the rules order is important. Both rules operate on the same port and the first must always be evaluated before the second.


pfSense configuration

  • Modify the configuration file to avoid the generation of multi-line events, which sometimes are generated by tpcdump, and break the log format. Modify the file /etc/inc/filter.inc from the console or from the management interface (Diagnostics → Edit File).

/etc/inc/filter.inc file modification

Replace this line:
    mwexec_bg("/usr/sbin/tcpdump -s 256 -v -l -n -e -ttt -i pflog0 | logger -t pf -p local0.info");
By this:
    mwexec_bg("/usr/sbin/tcpdump -s 256 -v -l -n -e -ttt -i pflog0 | /usr/bin/sed -l -E 'N;s/\\n[ \\t]+/ /;P;D;' | logger -t pf -p local0.info");
  • For the changes to be effective, you must restart pfSense with the reboot command from the console or from the management interface (go to Diagnostics → Reboot area).
  • Once the service has been restarted, configure the sending to syslog via the pfSense graphic interface:
  1. Go to Status → System Logs → Settings area.
  2. Check the box Log packets blocked by the default rule.
  3. Check the box Enable syslogging to remote syslog server.
  4. Introduce your In-house Relay IP address in the Server1 field.
  5. Check the boxes of the event types you want to register (at least system and firewall events).
  6. Click on Save.

  • In the Firewall → Rules section, edit the rules you want to register by enabling the following option on each rule.

  • Click on Apply changes button from Firewall → Rules area.

pfsense 2.3

There are two main steps to follow in the configuration process:

  • In-house Relay configuration
  • pfSense configuration

In-house Relay configuration

The first step is to install an In-house Relay for the correct tagging of the logs. You should define two rules, as described below.

  • First rule

You must consider the following fields when creating this rule:

  • Source Port → 514
  • SourceTag → filterlog
  • TargetTag → firewall.pfsense.filterlog
  • Check the following box:
    • Stop Processing

  • Second rule

This rule is to label the rest of the events as firewall.pfsense.system. You must consider the following fields when creating the rule:

  • Source Port → 514
  • Target Tag → firewall.pfsense.system
  • Check the following box:
    • isPrefix → true (It retains the original label where we have indicated the particular component of the system that generated the event)

Note that the rules order is important. Both rules operate on the same port and the first must always be evaluated before the second.


pfSense configuration

  • Configure the sending to syslog via the pfSense graphic interface:
    1. Go to Status → System Logs → Settings area.
    2. Check the box Log packets matched from the default block rules in the rule set.
    3. Check the box Send log messages to remote syslog server.
    4. Introduce your In-house Relay IP address in the Remote log servers field.
    5. Check the boxes of the event types you want to register (at least System and Firewall events).
    6. Click Save.
    7. In the Firewall → Rules section, edit the rules you want to register and enable the Log packets that are handled by this rule option on each rule.
    8. Click on Apply changes button from Firewall → Rules area.

Have we answered your question?

If not, please contact our technical support team via email by clicking the button below.

CONTACT US