# Syslog server



## balanga (Mar 4, 2016)

On my network I'm running pfSense and FreeNAS and am thinking of setting up a Syslog server... Where should I install it and are there any GUI programs available for checking logs?


----------



## Oko (Mar 5, 2016)

Centralized login server should be run on the separate infrastructure server. You could possibly run few of those Monitoring, Metric-monitoring, syslogs in a separate jail instances on the same FreeBSD machine. One could write a book about centralized logs and in particularly analyzing centralized logs (such books have been written). FreeNAS 9.3 uses syslog-ng (ng stands for "next generation") since FreeBSD stack syslog. Syslog-ng is really a good product both client and the server side. I forgot what latest pfSense is using. I hope it is not FreeBSD built in syslog as it really lacks the features (potential developers should get the clue from what OpenBSD guys have done with syslog TCP+TLS and many other nice things). Anyhow I run syslog-ng.

You have to install something on the top of syslog-ng  to search, analyze, and visualize log data.
Personally in my small lab  I use combination of regular expressions and sed/awk. However
two major players in the enterprise open source arena are  EFK (Elasticsearch Fluentd Kibana) and  ELK (Elastricsearch Logstash Kibana). The have slight preference for ELK.

IIRC you can purchase preconfigured ELK appliance (just like pfSense and FreeNAS). If you want free I would suggest looking at TurnKey Linux appliance.  Unfortunately I would guess that TurnKey uses Linux specific rsyslog under the hood. I have very low opinion about rsyslog in particular its behavior on  non-Linux systems.

Long story short your probably also need a full time syslog engineer to help you with this.


----------



## metsuke (Mar 5, 2016)

I use pfSense at home with a FreeBSD machine picking up all the logs for analysis with ELK.  Here are some of the details from my setup.  I use 10.0.0.1 as my pfSense IP.

/etc/rc.conf:

```
syslogd_enable="YES"
syslogd_flags="-a 10.0.0.1 -v -v -n -C"
```

/etc/syslog.conf:

```
+10.0.0.1
*.*                                             /data/pfsense/firewall.log
*.* @127.0.0.1:42185
```

I opened up 514 UDP, 9200 TCP, 9292 TCP, and 9300 TCP on my server to accept logs from 10.0.0.1

In pfSense, under Status->System Logs->Settings, I checked Enable Remote Logging, entered my server's IP and checked logs for Firewall, DHCP, and VPN.

From there, I tailed the firewall.log to my ELK VM's Samba share and told Logstash to ingest that log.


----------



## Ovidiu (Feb 9, 2017)

hi. please explain me how can I remove information about date, time, hostname, ( Feb  9 03:01:14 hostname service_name: ) from syslog files?
Thanks in advance


----------



## SirDice (Feb 9, 2017)

Ovidiu, the whole point of logging is to log this information. What use is a log line if you don't know when it happened, on what machine and which service caused it?


----------



## Ovidiu (Feb 9, 2017)

Yes, I got the idea
In my case, I have a pfSense running squid. I remotely sent the logs into another pfsense.
Because I have these information in the log file, Lightsquid doesn't want to read logs anymore: Feb  9 15:39:39 router (squid-1):
Thank you

Feb  9 15:39:39 router (squid-1): 1486647579.425     46 192.168.1.5 TCP_MISS/200 6048 GET http://google.com - ORIGINAL_DST/172.217.17.78 application/javascript


----------

