OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: roli8200 on April 05, 2018, 04:29:18 pm

Title: Wrong remote syslog log format
Post by: roli8200 on April 05, 2018, 04:29:18 pm

I tried to build up a centralized log server which analyses the syslog messages from a brunch of opnsense firewalls connecting diffrent segments together as a kind of centralized downstreamed intrusion detection system which sends alarm sms. After a very lot of testing diffrent products which always generated only waste data out from the sent syslog messages started to analyse the sent syslog data from opnsense self via netcat (nc -l -u -p 514)
and what do I see:

<134>Apr  5 16:02:19 filterlog: 59,,,0,em0,match,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,xx.1.xx.1,xx.1.xx.100,29402,10050,0,S,812657615,,65228,,mss;nop;wscale;sackOK;TS

Whats missing here: right, the hostname
It should be:
<134>Apr  5 16:02:19 vm-fwgw-01 filterlog: ....

see here: https://syslog-ng.com/documents/html/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/bsdsyslog-header.html
and here: https://en.wikipedia.org/wiki/Syslog, https://de.wikipedia.org/wiki/Syslog

Strangely the log files on the filesystem are correct:
Apr  5 16:02:43 vm-fwgw-01 openvpn[28872]: MANAGEMENT: CMD 'quit'

seems some wrong compile option.

Then to have a real information whats going on on all the firewalls, it would be nice if the suricata logs could also be transmitted to a remote syslog server.
Title: Re: Wrong remote syslog log format
Post by: fabian on April 05, 2018, 05:47:50 pm
You can do that: https://github.com/fabianfrz/opnsense-logstash-config/blob/master/opnsense.conf#L1-L10
Title: Re: Wrong remote syslog log format
Post by: GLR on July 19, 2018, 10:17:02 pm
See the work in progress on the syslog issues here :

Basically, syslogd is being replaced by syslog-ng at least for the remote sending part and the target release is now 19.1.