Document toolboxDocument toolbox

firewall.pfsense

Introduction

The tags beginning with firewall.pfsense identify log events generated by the pfSense Firewall.

In pfSense you can configure the sending of selected logs to a remote syslog server. In earlier releases of pfSense, it is only possible to specify the IP address of the remote syslog server, therefore all events are forwarded to the default UDP port 514. However, in later releases you can specify a port of your choosing. 

Tag structure

The full tag must have at least three levels. The first two are fixed as firewall.pfsense. The third level identifies the log type and the fourth element is not required.

Therefore, the valid tags include:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

 pfSense firewall

firewall.pfsense.everything

firewall.pfsense.everything

firewall.pfsense.filterlog

firewall.pfsense.filterlog

firewall.pfsense.firewall

firewall.pfsense.firewall

firewall.pfsense.system

firewall.pfsense.system

For more information, read more about Devo tags.

Configuration

The configuration steps are slightly different, depending on the pfSense release you are using:

pfSense 2.2

This configuration applies for the pfSense 2.2 and all previous versions. There are two main steps to follow in this process:

  • Devo Relay rules

  • pfSense configuration

Devo Relay rules

You should define two rules, as described below. They must be placed in the indicated order on the relay so that Rule 1 is applied before Rule 2.

Rule 1

Apply the firewall.pfsense.firewall tag to all events received on port 514 and contain the syslog tag "pf" 

  • Source port → 514

  • Source tag → pf

  • Target tag → firewall.pfsense.firewall

  • Check the Stop processing checkbox

Rule 2

Apply the firewall.pfsense.system tag to all other events received on the same port

  • Source port → 514

  • Target tag → firewall.pfsense.system

  • Select the Is prefix checkbox to append the event's syslog tag to the Target tag.


pfSense configuration

  • Modify the configuration file to avoid the generation of multi-line events, which sometimes are generated by tpcdump, and break the log format. Modify the file /etc/inc/filter.inc from the console or from the management interface (Diagnostics → Edit File).

/etc/inc/filter.inc file modification
Replace this line: mwexec_bg("/usr/sbin/tcpdump -s 256 -v -l -n -e -ttt -i pflog0 | logger -t pf -p local0.info"); By this: mwexec_bg("/usr/sbin/tcpdump -s 256 -v -l -n -e -ttt -i pflog0 | /usr/bin/sed -l -E 'N;s/\\n[ \\t]+/ /;P;D;' | logger -t pf -p local0.info");
  • For the changes to be effective, you must restart pfSense with the reboot command from the console or from the management interface (go to Diagnostics → Reboot area).

  • Once the service has been restarted, configure the sending to syslog via the pfSense graphic interface:

  1. Go to Status → System Logs → Settings area.

  2. Check the box Log packets blocked by the default rule.

  3. Check the box Enable syslogging to remote syslog server.

  4. Introduce your In-house Relay IP address in the Server1 field.

  5. Check the boxes of the event types you want to register (at least system and firewall events).

  6. Click on Save.

  • In the Firewall → Rules section, edit the rules you want to register by enabling the following option on each rule.

  • Click on Apply changes button from Firewall → Rules area.

pfsense 2.3

There are two main steps to follow in the configuration process:

  • Devo Relay rules

  • pfSense configuration

Devo Relay rules

You should define two rules, as described below. They must be placed in the indicated order on the relay so that Rule 1 is applied before Rule 2.

Rule 1

Apply the firewall.pfsense.filterlog tag to all events received on port 514 and contain the syslog tag "filterlog" 

  • Source port → 514

  • Source tag → filterlog

  • Target tag → firewall.pfsense.filterlog

  • Check the Stop processing checkbox

Rule 2

Apply the firewall.pfsense.system tag to all other events received on the same port

  • Source port → 514

  • Target tag → firewall.pfsense.system

  • Select the Is prefix checkbox to append the event's syslog tag to the Target tag.


pfSense configuration

Configure the sending of log events to the Devo Relay (a remote syslog server) using the pfSense web management interface:

  1. Go to Status → System Logs → Settings area.

  2. Check the box Log packets matched from the default block rules in the ruleset.

  3. Check the box Send log messages to remote syslog server.

  4. Enter your Devo Relay's IP address and port in the Remote log servers field. For example, 10.10.100.210:514

  5. Check the boxes of the event types you want to forward.

  6. Click Save.






  7. In the Firewall → Rules section, edit the rules you want to register and enable the Log packets that are handled by this rule option on each rule.

  8. Click Apply changes.

Table structure

These are the fields displayed in these tables:

firewall.pfsense.everything

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

machine

str

vmachine

 

logType

str

 

 

timestamp

str

 

 

ruleNumber

str

 

 

subRuleNumber

str

 

 

action

str

 

 

username

str

 

 

anchor

str

 

 

tracker

str

 

 

realInterface

str

 

 

reasonLogEntry

str

 

 

actionTaken

str

 

 

trafficDirection

str

 

 

ipVersion

str

 

 

TOS

str

 

 

ECN

str

 

 

TTL

str

 

 

ID

str

 

 

offset

str

 

 

flags

str

 

 

protocol

str

 

 

protocolId

str

 

 

multicastAddress

str

 

 

ipv6

str

 

 

length

str

 

 

sourceIp

str

 

 

destinationIp

str

 

 

srcPort

str

 

 

dstPort

str

 

 

dataLength

str

 

 

via

str

 

 

response

str

 

 

method

str

 

 

rawUrl

str

 

 

statusCode

str

 

 

requestLength

str

 

 

url

str

 

 

referrer

str

 

 

hostchain

str

 

✓

tag

str

 

✓

firewall.pfsense.filterlog

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

machine

str

vmachine

 

ruleNumber

str

 

 

subRuleNumber

str

 

 

anchor

str

 

 

tracker

str

 

 

realInterface

str

 

 

reasonLogEntry

str

 

 

actionTaken

str

 

 

directionTraffic

str

 

 

ipVersion

str

 

 

TOS

str

 

 

ECN

str

 

 

TTL

str

 

 

ID

str

 

 

Offset

str

 

 

flags

str

 

 

protocolId

str

 

 

protocolText

str

 

 

length

int8

 

 

srcIp

ip4

 

 

dstIp

ip4

 

 

srcPort

int8

 

 

dstPort

int8

 

 

srcIpv6

str

 

 

dstIpv6

str

 

 

dataLength

str

 

 

tcpFlags

str

 

 

sequenceNumber

str

 

 

ACK

str

 

 

window

str

 

 

URG

str

 

 

options

str

 

 

icmpType

str

 

 

icmpId

str

 

 

icmpSequence

str

 

 

class

str

 

 

flowLabel

str

 

 

hopLimit

str

 

 

hostchain

str

 

✓

tag

str

 

✓

rawMessage

str

rawSource

✓

firewall.pfsense.firewall

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

machine

str

 

vmachine

 

level

str

 

 

 

reason

str

 

 

 

action

str

 

 

 

rule

str

 

 

 

flow

str

 

 

 

iface

str

 

 

 

proto

str

 

 

 

srcIp

ip4

(length(split(srcIpPort, "."), as, ip) = 4) ? ip4(srcIpPort) : (length(ip) = 5) ? ip4(ip[0], +"." + ip[1] + "." + ip[2] + "." + ip[3]) : null

srcIpPort

ip

as

 

srcPort

int4

(length(split(srcIpPort, "."), as, ip) = 5) ? int4(ip[4]) : null

srcIpPort

ip

as

 

dstIp

ip4

dstIpPort

ip

as

 

dstPort

int4

dstIpPort

ip

as

 

message

str

 

 

 

delta

str

 

 

 

tos

str

 

 

 

ttl

int4

 

 

 

ipID

int4

 

 

 

off

int4

 

 

 

ipFlags

str

 

 

 

ipLength

int4

 

 

 

numProto

int4

 

 

 

tcpFlags

str

 

 

 

cksum

str

 

 

 

cksumRes

str

 

 

 

seqNum

int8

 

 

 

ackNum

int8

 

 

 

win

int4

 

 

 

tcpOpts

str

 

 

 

tcpLength

int4

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

rawSource

✓

firewall.pfsense.system

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

machine

str

vmachine

 

level

str

 

 

application

str

 

 

message

str

 

 

hostchain

str

 

✓

tag

str

 

✓

rawMessage

str

message

✓


Related articles