Configuring a Syslog Server on pfSense with the syslog-ng Package
9. September 2020
pfSense by default logs data from different components running on it.
These files are a fixed size and never grow. As a consequence of this, the log will only hold a certain amount of entries and the old entries are continually pushed out of the log as new entries are added.
If you need log retention the logs can be copied to another server with syslog, where they may be permanently retained or rotated with less frequency.
In this Post you will see how to install and configure the pfSense syslog-ng package (Service) to gather the logs from pfSense.
Goto the Package Manager and search for syslog.
Now you can configure Syslog-ng – so click on Services – Syslog-ng
Under Interface Selection, choose the Interface, the Syslog-ng daemon should listen on. In my case Syslog-ng should gather the logs from pfSense itself on the local system, so I choose the loopback Interface.
Dont’t forget to check the Enable syslog-ng!
You also can choose a CA and Certificate to encrpyt incoming and outgoing syslog messages using TLS. But in this case the messages don’t leave pfSense and the System itself, so we can leave this blank.
More about TLS options for syslog-ng under https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/release-notes/tls-options
At this point we should configure pfSense to send the log messages to the local syslog server (Syslog-ng Service). Click on Status – System Logs – Settings
Check Enable Remote Logging and under Remote log servers enter the localhost IP and Port number from the Syslog-ng Service which is by default 5140.
Optional you can send the logs up to three remote log servers.
Under Remote Syslog Contents you can select which logs you want to send.
Check if the Service is running.
From now on you should see the logs directly under the Log Viewer menu from the Syslog-ng service.
The logs will be stored in /var/syslog-ng/
Remote Logging with Syslog
Configuring System Logging on FreeBSD