How to configure syslog servers in PfSense

Want to centralize your PfSense logs for better monitoring and troubleshooting? Here’s how you can set up a remote syslog server with PfSense to securely store, analyze, and manage your network logs.

Key Steps:

1. Enable Remote Logging: Go to

Status > System Logs > Settings

in PfSense and check the "Send log messages to remote syslog server" option. 2. Set Remote Server Details: - Enter the server's IP/hostname. - Use UDP port 514 (default) or TCP (requires

syslog-ng

package). 3. Select Log Categories: Choose specific logs like firewall, VPN, or system events to forward. 4. Secure Log Transmission: - Use a VPN or encrypted tunnels (like Stunnel or syslog-ng) to protect sensitive data. 5. Configure the Syslog Server: - Allow remote access (

/etc/rc.conf

). - Define log files (

/etc/syslog.conf

). - Restart the syslog service.

Why It Matters:

Long-Term Storage: Avoid losing logs due to limited local storage.
Simplified Troubleshooting: Analyze logs centrally to detect issues faster.
Enhanced Security: Keep logs safe even during device failures.

Tip: Always encrypt logs when transmitting over public networks to avoid exposing sensitive information.

Follow these steps to set up reliable, secure logging for your network!

Before You Begin

System Requirements

Make sure PfSense aligns with the necessary hardware and software specifications. PfSense can send logs to almost any UNIX or UNIX-like system set up as a syslog server. Here's what you'll need:

Component	Requirement
Network Connection	Local network interface or a VPN connection
Default Port	UDP 514
Protocol Support	UDP (default) or TCP (requires the syslog-ng package)
Storage Capacity	Enough space for long-term log storage
Security Layer	Use VPN, Stunnel, or similar tools for encryption

Double-check that your network environment meets these requirements before proceeding.

Network Setup Checklist

Network Accessibility
Confirm the syslog server is accessible from the PfSense firewall. You can achieve this by using:
- A local network interface
- A properly set up VPN connection
- A secure tunnel like IPsec
Security Configuration
Protect sensitive log data by:
- Using encrypted connections if logs pass through public networks
- Setting up VPN tunnels for secure remote logging
- Configuring IPsec Phase 2 for tunnel mode
Server Prerequisites
If you're using a FreeBSD syslog server, follow these steps:
- Update
```
/etc/rc.conf
```
  to enable remote access
- Adjust
```
/etc/syslog.conf
```
  for your setup
- Set the correct file permissions (e.g.,
```
chmod 640
```
  )
- Restart the syslog service

Make sure all these steps are completed to ensure a smooth setup process.

Setting Up Remote Syslog

Finding Logging Settings

To set up remote syslog in PfSense, start by accessing the logging configuration panel. Head to Status > System Logs and select the Settings tab. This is where you'll find all the options needed to configure remote log forwarding.

Configuring Log Forwarding

1. Enable Remote Logging

Check the box labeled "Send log messages to remote syslog server." This will reveal additional configuration options.

2. Configure Source Settings

Select a source address. Unless you need a specific IP (such as for tunnel mode IPsec VPN), it's best to stick with the default option, 'Any.'

3. Set Up Remote Servers

You can configure up to three remote servers for redundancy. For each server, provide:

The IP address or hostname of the syslog server
The UDP port number (default is 514)

Server Configuration	Details Needed
Primary Server	IP/Hostname + Port
Source Address	Default: Any or specify an IP
Protocol	Default: UDP or use TCP*
Security	VPN/Stunnel is recommended

*TCP requires the additional syslog-ng package.

Choosing Log Types

Select the log types that suit your monitoring needs. PfSense allows you to forward logs based on specific categories:

Log Category	Purpose
System Events	Tracks core system operations
Firewall Events	Monitors security and access
DNS Events	Logs domain name resolutions
DHCP Events	Records IP address assignments
VPN Events	Tracks VPN activity
Authentication Events	Logs login attempts and access
Gateway Monitor Events	Monitors network connectivity

While you can forward all logs by selecting "Everything", it’s better to start with specific categories that align with your monitoring goals. This helps conserve both server resources and network bandwidth.

"The logs kept by pfSense on the firewall itself are of a finite size, making remote logging useful for long-term monitoring and troubleshooting." [1]

Keep in mind that logs sent using remote syslog are unencrypted by default. To ensure secure log transmission, you can:

Set up a VPN tunnel
Use the Stunnel package
Install the syslog-ng package for encrypted transmission

Once you've configured everything, click Save to apply your changes.

sbb-itb-fdb6fcc

Remote Server Setup

Server Configuration Steps

To set up your remote syslog server for receiving pfSense logs, follow these steps:

1. Enable Remote Connections

Edit the `/etc/rc.conf` file to permit connections from your pfSense firewall:

```
syslogd_flags=" -a 192.168.1.1 "
```

If you need to allow access for an entire subnet, adjust the configuration accordingly:

```
syslogd_flags=" -a 10.0.10.0/24:* "
```

2. Configure Log Storage

Update the `/etc/syslog.conf` file to route pfSense logs to a specific log file, such as `/var/log/pfsense.log`:

```
!+pfsense*.*
/var/log/pfsense.log
```

3. Set Up Log Files

Create the log file and set the appropriate permissions:

```
touch /var/log/pfsense.log
chmod 640 /var/log/pfsense.log
```

4. Restart the Syslog Service

Apply the changes by restarting the syslog service:

```
/etc/rc.d/syslogd restart
```

Once your server is configured, you’ll need to ensure secure log transmission through your network.

Network Requirements

After configuring the server, make sure your network settings support secure and reliable communication. Use the table below as a guide:

Requirement	Configuration Details
Firewall Rules	Allow UDP port 514 (default) from the pfSense IP address.
VPN Setup	Use a VPN for secure connections over WAN.
Source Address	Ensure it matches the pfSense local network.
DNS Resolution	Add the pfSense hostname to the `/etc/hosts` file.

"Logs sent using this method are delivered in the clear (not encrypted) unless the logs are sent through a VPN or using a mechanism such as Stunnel package. As an alternative, consider using the syslog-ng package which supports encrypted syslog." [1]

If you’re working across multiple networks, confirm that your firewall rules allow traffic between the pfSense system and the remote syslog server.

Testing and Fixes

Checking Log Delivery

Once your server configuration is set up, it's time to ensure logs are being transmitted correctly. To check log delivery, inspect the log file on your remote server by running:

tail -f /var/log/pfsense.log

This command displays new log entries as they arrive. To generate test logs from pfSense, try these actions:

Modify firewall rules
Use the web interface
Restart system services

If the expected logs don't show up, examine the following components:

Component	What to Check
Server Listening Status	Ensure the `syslogd` process is running with the proper flags.
Log File Permissions	Verify the file permissions are set to `640` .
Network Connectivity	Test connectivity to UDP port 514.
Source Address	Confirm the source IP from pfSense matches your configuration settings.

Common Problems and Solutions

If logs aren't appearing, here are some common issues and how to address them:

1. No Logs Appearing
Check if the syslog daemon is running with remote connection support. On FreeBSD systems, confirm that your

/etc/rc.conf

file includes the following:

```bash
syslogd_flags="-a <your_pfsense_ip>"
```

2. VPN Connectivity Issues
When using a VPN, ensure the Source Address in pfSense is set to an interface or Virtual IP within your Phase 2 network. This is crucial for proper log transmission in tunnel mode IPsec VPNs.

3. UDP Transmission Problems
Since the default syslog daemon uses UDP, logs might be unreliable in certain network setups. Address these issues as follows:

| Issue | Solution |
| --- | --- |
| **Packet Loss** | Switch to the `syslog-ng` package for TCP support. |
| **Security** | Use VPN tunneling to encrypt log transmissions. |
| **Network Blocks** | Adjust firewall rules to permit UDP traffic on port 514. |

For more secure transmission methods, refer to the encryption techniques covered earlier.

Summary

Setup Steps Review

To configure remote syslog in PfSense, follow these steps:

Configuration Area	Steps
Initial Setup	Go to Status > System Logs > Settings tab.
Remote Server	Activate the "Send log messages to remote syslog server" option.
Connection	Enter the server IP and UDP port (default is 514).
Source Settings	Specify the correct source address (important for VPN setups).
Security	Use secure methods, like VPN tunneling, to transmit logs.
Log Types	Select the log categories you want to forward.

Why Centralized Logs Matter

Centralized logging makes life easier for network administrators working with PfSense. It helps with troubleshooting, ensures compliance, and keeps logs secure. Here's how:

Extended Log Retention:
Keep logs longer than what PfSense's local storage allows. This means you won't lose historical data during system restarts.
Better Security Analysis:
Gain access to full audit trails, detect patterns over time, and ensure logs are safe even if local storage fails.
Compliance Support:
Meet corporate retention policies and legal requirements by securely archiving logs.

For best results, make sure your syslog server is directly reachable from your PfSense firewall. Use a local interface or a VPN connection to avoid transmitting sensitive log data over unsecured WAN links. Logs sent over unencrypted connections are vulnerable to interception, as they are transmitted in plain text.