Feature #14878
openIntegrated syslog support
0%
Description
Requesting the integrated support to be able to ship pfblockerng logs to a syslog server. This is crucial for organizations and users utilizing a SIEM, etc. for their security visibility.
Updated by Tue Madsen about 1 year ago
I completely agree. The lack of integrated SYSLOG support (independent of local pfBlockerNG logging) is a MAJOR drawback of this package.
There is a workaround having syslog-ng monitor the logfiles, but even that is useless since pfBlockerNG rewrites the log file from scratch (renaming a file) when it rotates logs. That causes the entire content of the logfile to be resent - causing duplicates in SIEM.
On another note: Adding an InfluxDB log export option as well would be perfect. InfluxDB is used a lot for "live" monitoring and history parsing of activity from fx. Grafana. There is also a workaround for this using the Telegraf package, but that is also a pretty bad solution because of the logfile rotation issue.
Updated by Tue Madsen about 1 year ago
Unfortunately I cannot code myself, so I have to ask for changes in detail instead. I think the solution should be made like this:
FIX: Change the log rotation scheme for pfb logfiles so anything monitoring/tailing a logfile does not get all events replayed on pfb update/rotation.
NEW: Please add an independent syslogging option to each logfile so every new entry is also sent off system via Syslog - the format for the sent lines should the be syslog standard instead of CSV.
I think the latter could be added in a very simple manner by just making the first FIX, and as part of that change the logfile format to syslog standard.
Then you could use the pfsense built-in syslog setup by just placing a pfb.conf file in /var/etc/syslog.d as all .conf files there are included by default.