Project

General

Profile

Actions

Feature #14878

open

Integrated syslog support

Added by Alan Shearer about 1 year ago. Updated about 1 year ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
pfBlockerNG
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:

Description

Requesting the integrated support to be able to ship pfblockerng logs to a syslog server. This is crucial for organizations and users utilizing a SIEM, etc. for their security visibility.

Actions #1

Updated by Tue Madsen about 1 year ago

I completely agree. The lack of integrated SYSLOG support (independent of local pfBlockerNG logging) is a MAJOR drawback of this package.
There is a workaround having syslog-ng monitor the logfiles, but even that is useless since pfBlockerNG rewrites the log file from scratch (renaming a file) when it rotates logs. That causes the entire content of the logfile to be resent - causing duplicates in SIEM.

On another note: Adding an InfluxDB log export option as well would be perfect. InfluxDB is used a lot for "live" monitoring and history parsing of activity from fx. Grafana. There is also a workaround for this using the Telegraf package, but that is also a pretty bad solution because of the logfile rotation issue.

Actions #2

Updated by Tue Madsen about 1 year ago

Unfortunately I cannot code myself, so I have to ask for changes in detail instead. I think the solution should be made like this:

FIX: Change the log rotation scheme for pfb logfiles so anything monitoring/tailing a logfile does not get all events replayed on pfb update/rotation.
NEW: Please add an independent syslogging option to each logfile so every new entry is also sent off system via Syslog - the format for the sent lines should the be syslog standard instead of CSV.

I think the latter could be added in a very simple manner by just making the first FIX, and as part of that change the logfile format to syslog standard.
Then you could use the pfsense built-in syslog setup by just placing a pfb.conf file in /var/etc/syslog.d as all .conf files there are included by default.

Actions

Also available in: Atom PDF