pfSense

You could send your pfSense syslogs to a remote syslog for long-term storage/analysis.

That function is performed already. The issue is that the IP address is not logged by pfsense. There's no data to send.

Ideally it should log the IP and preferably the rule that blocked it.

In 2.3, you can edit /etc/inc/filter.inc and force it to log. Currently, its only logging if the "Default logging" is enabled in System Log: Settings.

Original:

3204 if ($webConfiguratorlockoutport) {
3205 $ipfrules .= "block in {$log['block']} quick proto tcp from <webConfiguratorlockout> to (self) port {$webConfiguratorlockoutport} tracker {$increment_tracker($tracker)} label \"webConfiguratorlockout\"\n";

New:

3204 if ($webConfiguratorlockoutport) {
3205 $ipfrules .= "block in log quick proto tcp from <webConfiguratorlockout> to (self) port {$webConfiguratorlockoutport} tracker {$increment_tracker($tracker)} label \"webConfiguratorlockout\"\n";

SSHlockout line: 3187
Virusprot line: 3205

Then execute a "Filter Reload"

In 2.2.x:

sshlockout: Line: 2917
webConfiguratorlockout: Line: 2933
virusprot: Line: 2942

Not sure if the Devs would want to force this to log or add an option in System Log: Settings to enable/disable this logging...
I would think it should be forced to log all the time.

Chris,

Enabling default logging would log the entire internet attempting access the default block rules, instead of specific hosts and tcp port rates. It will be more difficult to log, collect, store, search, and find relevant information if default logging is enabled.

I will be more than happy to pay you for the work to include this functionality.