PfSense-Remote-Syslog

Summary

pfSense, being BSD based, uses syslogd as it's syslog daemon. This is old and doesn't send the RFC compliant message format that we need for Graylog to interpret properly.
This setup allows us to maintain functionality of the System Logs settings area to control what we send to the remote syslog server. There are some relatively convoluted solutions to this out there.. I think my solution is less convoluted.

syslog-ng Configuration

Start by installing the syslog-ng package in the Package Manager in pfSense.

At this point I want to stress that you DO NOT want to configure syslog-ng via the pfSense interface. When I tested this in the web UI, it wouldn't let me edit the DEFAULT items. This config file will be wiped out if you mess with it in the web UI and the syslog relaying will be broken.

SSH to the pfSense box, edit the syslog-ng config file (/usr/local/etc/syslog-ng) to look like this:

@version:3.7
destination _DEFAULT { syslog("GRAYLOG_IP" transport(udp) port(GRAYLOG_PORT)); };
source _DEFAULT { internal(); syslog(transport(udp) port(5514) ip(127.0.0.1)); };
log { source(_DEFAULT); destination(_DEFAULT); };

The source line tells syslog-ng to listen on 127.0.0.1:5514 for syslog input, while the destination lines tells it to send RFC compliant syslog messages to my graylog server. The log line connects the two.
Now all we need is some input.

pfSense Configuration

In the pfSense web UI, navigate to the System Logs settings (Status->System Logs->Settings). Check the box to "send log messages to remote syslog server".

The "Source Address" chosen must match with the IP of the source line in syslog-ng.conf above. I specified 127.0.0.1 in that file, so I select "Loopback" for the Source Address field. "IP Protocol" should be IPv4.

Finally, enter the IP and port from the source line in syslog-ng.conf above into one of the Remote Log Servers boxes.

Hit that Save button and apply the configuration changes.

Your stock syslog service is now forwarding messages to syslog-ng, which is reformatting them and sending them on to the Graylog server.

Page last modified on September 02, 2016