Bug #7020
closed<Hostname> is omitted when sending logs on syslog
0%
Description
When sending "filterlog" over syslog the standard defined in https://doc.pfsense.org/index.php/Filter_Log_Format_for_pfSense_2.2 (<Timestamp> <Hostname> filterlog: <CSV data>) is not followed.
According to https://www.ietf.org/rfc/rfc3164.txt, a message that are sent to a remote host should include a header. In 4.1.2, the HEADER is explained; The HEADER contains two fields called the TIMESTAMP and the HOSTNAME. The TIMESTAMP will immediately follow the trailing ">" from the PRI part and single space characters MUST follow each of the TIMESTAMP and HOSTNAME fields. HOSTNAME will contain the hostname, as it knows itself. If it does not have a hostname, then it will contain its own IP address. If a device has multiple IP addresses, it has usually been seen to use the IP address from which the message is transmitted.
Filterlog log messages sent over syslog looks like this;
Nov 30 10:52:35 filterlog: 9,16777216,,1000000103,em0,match,block,in,4,0x0,,54,15133,0,none,6,tcp,40,x.x.x.x,x.x.x.x,48224,7547,0,S,1482288191,,37965,,
The field <Hostname> is not sent.
Some of the syslog sent from pfsense also includes that;
Dec 1 07:52:09 pfsense.effnet nginx: 10.5.10.105 - - [01/Dec/2016:07:52:09 +0100] "GET /widgets/widgets/suricata_alerts.widget.php?getNewAlerts=1480575129371 HTTP/1.1" 200 199 "https://10.5.20.1/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
If this is considered as "not a bug", the web page https://doc.pfsense.org/index.php/Filter_Log_Format_for_pfSense_2.2 should be updated accordingly and the the behavor of the other messages transmitted from pfsense which includes the hostname should be changed.