Document toolboxDocument toolbox

firewall.pfsense

The tags beginning with firewall.pfsense identify log events generated by the pfSense Firewall.

In pfSense you can configure the sending of selected logs to a remote syslog server. In earlier releases of pfSense, it is only possible to specify the IP address of the remote syslog server, therefore all events are forwarded to the default UDP port 514. However, in later releases you can specify a port of your choosing. 

Tag structure

The full tag must have at least three levels. The first two are fixed as firewall.pfsense. The third level identifies the log type and must be one of everything, filterlog, firewall, or system. The fourth element is not required.

technology

brand

log type

subtype

firewall

pfsense

  • everything
  • filterlog
  • firewall
  • system

not required

Therefore, the valid tags include:

  • firewall.pfsense.everything
  • firewall.pfsense.filterlog
  • firewall.pfsense.firewall
  • firewall.pfsense.system

For more information, read more about Devo tags.

Configuration

The configuration steps are slightly different, depending on the pfSense release you are using:

pfSense 2.2

This configuration applies for the pfSense 2.2 and all previous versions. There are two main steps to follow in this process:

  • Devo Relay rules
  • pfSense configuration

Devo Relay rules

You should define two rules, as described below. They must be placed in the indicated order on the relay so that Rule 1 is applied before Rule 2.

Rule 1: Apply the firewall.pfsense.firewall tag to all events received on port 514 and contain the syslog tag "pf" 

  • Source Port → 514
  • SourceTag → pf
  • Target Tag → firewall.pfsense.firewall
  • Check the Stop Processing checkbox

Rule 2: Apply the firewall.pfsense.system tag to all other events received on the same port

  • Source Port → 514
  • Target Tag → firewall.pfsense.system
  • Select the Is prefix checkbox to append the event's syslog tag to the Target Tag.


pfSense configuration

  • Modify the configuration file to avoid the generation of multi-line events, which sometimes are generated by tpcdump, and break the log format. Modify the file /etc/inc/filter.inc from the console or from the management interface (Diagnostics → Edit File).
/etc/inc/filter.inc file modification
Replace this line:
    mwexec_bg("/usr/sbin/tcpdump -s 256 -v -l -n -e -ttt -i pflog0 | logger -t pf -p local0.info");
By this:
    mwexec_bg("/usr/sbin/tcpdump -s 256 -v -l -n -e -ttt -i pflog0 | /usr/bin/sed -l -E 'N;s/\\n[ \\t]+/ /;P;D;' | logger -t pf -p local0.info");
  • For the changes to be effective, you must restart pfSense with the reboot command from the console or from the management interface (go to Diagnostics → Reboot area).
  • Once the service has been restarted, configure the sending to syslog via the pfSense graphic interface:
  1. Go to Status → System Logs → Settings area.
  2. Check the box Log packets blocked by the default rule.
  3. Check the box Enable syslogging to remote syslog server.
  4. Introduce your In-house Relay IP address in the Server1 field.
  5. Check the boxes of the event types you want to register (at least system and firewall events).
  6. Click on Save.

  • In the Firewall → Rules section, edit the rules you want to register by enabling the following option on each rule.

  • Click on Apply changes button from Firewall → Rules area.

pfsense 2.3

There are two main steps to follow in the configuration process:

  • Devo Relay rules
  • pfSense configuration

Devo Relay rules

You should define two rules, as described below. They must be placed in the indicated order on the relay so that Rule 1 is applied before Rule 2.

Rule 1:  Apply the firewall.pfsense.filterlog tag to all events received on port 514 and contain the syslog tag "filterlog" 

  • Source Port → 514
  • SourceTag → filterlog
  • Target Tag → firewall.pfsense.filterlog
  • Check the Stop Processing checkbox

Rule 2: Apply the firewall.pfsense.system tag to all other events received on the same port

  • Source Port → 514
  • Target Tag → firewall.pfsense.system
  • Select the Is prefix checkbox to append the event's syslog tag to the Target Tag.


pfSense configuration

Configure the sending of log events to the Devo Relay (a remote syslog server) using the pfSense web management interface:

  1. Go to Status → System Logs → Settings area.
  2. Check the box Log packets matched from the default block rules in the ruleset.
  3. Check the box Send log messages to remote syslog server.
  4. Enter your Devo Relay's IP address and port in the Remote log servers field. For example, 10.10.100.210:514
  5. Check the boxes of the event types you want to forward.
  6. Click Save.





  7. In the Firewall → Rules section, edit the rules you want to register and enable the Log packets that are handled by this rule option on each rule.
  8. Click Apply changes.