firewall.pfsense
- Juan Tomás Alonso Nieto (Deactivated)
- Former user (Deleted)
Introduction
The tags beginning with firewall.pfsense identify log events generated by the pfSense Firewall.
In pfSense you can configure the sending of selected logs to a remote syslog server. In earlier releases of pfSense, it is only possible to specify the IP address of the remote syslog server, therefore all events are forwarded to the default UDP port 514. However, in later releases you can specify a port of your choosing.Â
Tag structure
The full tag must have at least three levels. The first two are fixed as firewall.pfsense. The third level identifies the log type and the fourth element is not required.
Therefore, the valid tags include:
Product / Service | Tags | Data tables |
|---|---|---|
 pfSense firewall |
|
|
|
| |
|
| |
|
|
For more information, read more about Devo tags.
Configuration
The configuration steps are slightly different, depending on the pfSense release you are using:
pfSense 2.2
This configuration applies for the pfSense 2.2 and all previous versions. There are two main steps to follow in this process:
Devo Relay rules
pfSense configuration
Devo Relay rules
You should define two rules, as described below. They must be placed in the indicated order on the relay so that Rule 1 is applied before Rule 2.
Rule 1
Apply the firewall.pfsense.firewall tag to all events received on port 514 and contain the syslog tag "pf"Â
Source port →
514Source tag →
pfTarget tag → firewall.pfsense.firewall
Check the Stop processing checkbox
Rule 2
Apply the firewall.pfsense.system tag to all other events received on the same port
Source port →
514Target tag →
firewall.pfsense.systemSelect the Is prefix checkbox to append the event's syslog tag to the Target tag.
pfSense configuration
Modify the configuration file to avoid the generation of multi-line events, which sometimes are generated by
tpcdump, and break the log format. Modify the file/etc/inc/filter.incfrom the console or from the management interface (Diagnostics → Edit File).
/etc/inc/filter.inc file modification
Replace this line:
mwexec_bg("/usr/sbin/tcpdump -s 256 -v -l -n -e -ttt -i pflog0 | logger -t pf -p local0.info");
By this:
mwexec_bg("/usr/sbin/tcpdump -s 256 -v -l -n -e -ttt -i pflog0 | /usr/bin/sed -l -E 'N;s/\\n[ \\t]+/ /;P;D;' | logger -t pf -p local0.info");For the changes to be effective, you must restart pfSense with the reboot command from the console or from the management interface (go to Diagnostics → Reboot area).
Once the service has been restarted, configure the sending to syslog via the pfSense graphic interface:
Go to Status → System Logs → Settings area.
Check the box Log packets blocked by the default rule.
Check the box Enable syslogging to remote syslog server.
Introduce your In-house Relay IP address in the Server1 field.
Check the boxes of the event types you want to register (at least system and firewall events).
Click on Save.
In the Firewall → Rules section, edit the rules you want to register by enabling the following option on each rule.
Click on Apply changes button from Firewall → Rules area.
pfsense 2.3
There are two main steps to follow in the configuration process:
Devo Relay rules
pfSense configuration
Devo Relay rules
You should define two rules, as described below. They must be placed in the indicated order on the relay so that Rule 1 is applied before Rule 2.
Rule 1
Apply the firewall.pfsense.filterlog tag to all events received on port 514 and contain the syslog tag "filterlog"Â
Source port →
514Source tag →
filterlogTarget tag →
firewall.pfsense.filterlogCheck the Stop processing checkbox
Rule 2
Apply the firewall.pfsense.system tag to all other events received on the same port
Source port →
514Target tag →
firewall.pfsense.systemSelect the Is prefix checkbox to append the event's syslog tag to the Target tag.
pfSense configuration
Configure the sending of log events to the Devo Relay (a remote syslog server) using the pfSense web management interface:
Go to Status → System Logs → Settings area.
Check the box Log packets matched from the default block rules in the ruleset.
Check the box Send log messages to remote syslog server.
Enter your Devo Relay's IP address and port in the Remote log servers field. For example, 10.10.100.210:514
Check the boxes of the event types you want to forward.
Click Save.
In the Firewall → Rules section, edit the rules you want to register and enable the Log packets that are handled by this rule option on each rule.
Click Apply changes.
Table structure
These are the fields displayed in these tables:
firewall.pfsense.everything
Field | Type | Source field name | Extra fields |
|---|---|---|---|
eventdate |
| Â | Â |
machine |
| vmachine | Â |
logType |
| Â | Â |
timestamp |
| Â | Â |
ruleNumber |
| Â | Â |
subRuleNumber |
| Â | Â |
action |
| Â | Â |
username |
| Â | Â |
anchor |
| Â | Â |
tracker |
| Â | Â |
realInterface |
| Â | Â |
reasonLogEntry |
| Â | Â |
actionTaken |
| Â | Â |
trafficDirection |
| Â | Â |
ipVersion |
| Â | Â |
TOS |
| Â | Â |
ECN |
| Â | Â |
TTL |
| Â | Â |
ID |
| Â | Â |
offset |
| Â | Â |
flags |
| Â | Â |
protocol |
| Â | Â |
protocolId |
| Â | Â |
multicastAddress |
| Â | Â |
ipv6 |
| Â | Â |
length |
| Â | Â |
sourceIp |
| Â | Â |
destinationIp |
| Â | Â |
srcPort |
| Â | Â |
dstPort |
| Â | Â |
dataLength |
| Â | Â |
via |
| Â | Â |
response |
| Â | Â |
method |
| Â | Â |
rawUrl |
| Â | Â |
statusCode |
| Â | Â |
requestLength |
| Â | Â |
url |
| Â | Â |
referrer |
| Â | Â |
hostchain |
|  | ✓ |
tag |
|  | ✓ |
firewall.pfsense.filterlog
Field | Type | Source field name | Extra fields |
|---|---|---|---|
eventdate |
| Â | Â |
machine |
| vmachine | Â |
ruleNumber |
| Â | Â |
subRuleNumber |
| Â | Â |
anchor |
| Â | Â |
tracker |
| Â | Â |
realInterface |
| Â | Â |
reasonLogEntry |
| Â | Â |
actionTaken |
| Â | Â |
directionTraffic |
| Â | Â |
ipVersion |
| Â | Â |
TOS |
| Â | Â |
ECN |
| Â | Â |
TTL |
| Â | Â |
ID |
| Â | Â |
Offset |
| Â | Â |
flags |
| Â | Â |
protocolId |
| Â | Â |
protocolText |
| Â | Â |
length |
| Â | Â |
srcIp |
| Â | Â |
dstIp |
| Â | Â |
srcPort |
| Â | Â |
dstPort |
| Â | Â |
srcIpv6 |
| Â | Â |
dstIpv6 |
| Â | Â |
dataLength |
| Â | Â |
tcpFlags |
| Â | Â |
sequenceNumber |
| Â | Â |
ACK |
| Â | Â |
window |
| Â | Â |
URG |
| Â | Â |
options |
| Â | Â |
icmpType |
| Â | Â |
icmpId |
| Â | Â |
icmpSequence |
| Â | Â |
class |
| Â | Â |
flowLabel |
| Â | Â |
hopLimit |
| Â | Â |
hostchain |
|  | ✓ |
tag |
|  | ✓ |
rawMessage |
| rawSource | ✓ |
firewall.pfsense.firewall
Field | Type | Field transformation | Source field name | Extra fields |
|---|---|---|---|---|
eventdate |
| Â | Â | Â |
machine |
| Â | vmachine | Â |
level |
| Â | Â | Â |
reason |
| Â | Â | Â |
action |
| Â | Â | Â |
rule |
| Â | Â | Â |
flow |
| Â | Â | Â |
iface |
| Â | Â | Â |
proto |
| Â | Â | Â |
srcIp |
| (length(split(srcIpPort, "."), as, ip) = 4) ? ip4(srcIpPort) : (length(ip) = 5) ? ip4(ip[0], +"." + ip[1] + "." + ip[2] + "." + ip[3]) : null | srcIpPort ip as | Â |
srcPort |
| (length(split(srcIpPort, "."), as, ip) = 5) ? int4(ip[4]) : null | srcIpPort ip as | Â |
dstIp |
| dstIpPort ip as | Â | |
dstPort |
| dstIpPort ip as | Â | |
message |
| Â | Â | Â |
delta |
| Â | Â | Â |
tos |
| Â | Â | Â |
ttl |
| Â | Â | Â |
ipID |
| Â | Â | Â |
off |
| Â | Â | Â |
ipFlags |
| Â | Â | Â |
ipLength |
| Â | Â | Â |
numProto |
| Â | Â | Â |
tcpFlags |
| Â | Â | Â |
cksum |
| Â | Â | Â |
cksumRes |
| Â | Â | Â |
seqNum |
| Â | Â | Â |
ackNum |
| Â | Â | Â |
win |
| Â | Â | Â |
tcpOpts |
| Â | Â | Â |
tcpLength |
| Â | Â | Â |
hostchain |
|  |  | ✓ |
tag |
|  |  | ✓ |
rawMessage |
|  | rawSource | ✓ |
firewall.pfsense.system
Field | Type | Source field name | Extra fields |
|---|---|---|---|
eventdate |
| Â | Â |
machine |
| vmachine | Â |
level |
| Â | Â |
application |
| Â | Â |
message |
| Â | Â |
hostchain |
|  | ✓ |
tag |
|  | ✓ |
rawMessage |
| message | ✓ |