Wrong remote syslog log format

[roli8200]

Hello

I tried to build up a centralized log server which analyses the syslog messages from a brunch of opnsense firewalls connecting diffrent segments together as a kind of centralized downstreamed intrusion detection system which sends alarm sms. After a very lot of testing diffrent products which always generated only waste data out from the sent syslog messages started to analyse the sent syslog data from opnsense self via netcat (nc -l -u -p 514)
and what do I see:

<134>Apr  5 16:02:19 filterlog: 59,,,0,em0,match,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,xx.1.xx.1,xx.1.xx.100,29402,10050,0,S,812657615,,65228,,mss;nop;wscale;sackOK;TS

Whats missing here: right, the hostname
It should be:
<134>Apr  5 16:02:19 vm-fwgw-01 filterlog: ....

see here: https://syslog-ng.com/documents/html/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/bsdsyslog-header.html
and here: https://en.wikipedia.org/wiki/Syslog, https://de.wikipedia.org/wiki/Syslog

Strangely the log files on the filesystem are correct:
Apr  5 16:02:43 vm-fwgw-01 openvpn[28872]: MANAGEMENT: CMD 'quit'

seems some wrong compile option.

Then to have a real information whats going on on all the firewalls, it would be nice if the suricata logs could also be transmitted to a remote syslog server.

[fabian]

You can do that: https://github.com/fabianfrz/opnsense-logstash-config/blob/master/opnsense.conf#L1-L10

[GLR]

See the work in progress on the syslog issues here :
https://github.com/opnsense/core/issues/1228
https://github.com/opnsense/core/issues/1857
https://github.com/opnsense/core/issues/2349

Basically, syslogd is being replaced by syslog-ng at least for the remote sending part and the target release is now 19.1.