Skip to main content

Syslog - pfSense

Jason Phelps
  • Updated

TEAM: Huntress Managed Security Information and Event Management (SIEM)
PRODUCT: Firewall Syslog
ENVIRONMENT: pfSense
SUMMARY: Configuration Guide for pfSense firewalls

This page only covers the device-specific configuration, you'll still need to read Huntress Managed SIEM Syslog Guide to complete the Huntress Managed SIEM setup as well as opening a port in Microsoft Defender Firewall.

Vendor Information

Vendor

pfSense

Supported Model Name/Number

N/A

Supported Software Version(s)

CE - 2.7.1 and higher

Plus - 23.09.1 and higher

Collection Method

Syslog

Provider Name

pfSense

Additional Information


 

Remote Logging With Syslog

Log Settings

System Logs Documentation

 

Please note that Huntress provides third party vendor instructions as a best effort to expedite onboarding. Vendor documentation and versions frequently change and so it may be necessary to find the appropriate documentation for syslog logging for your version of the vendor software or service.

Please note the link in the Vendor Links above to the latest documentation at the time of this writing.

Please note that because of the way pfSense combines multiple logs it can take considerable time for the syslog to change from "Syslog-Generic" to "Syslog-pfSense". If the log type doesn't change over within 24 hours please contact us support@huntress.com

Device Configuration Checklist

  1. Configure Remote Logging
    1. Log into the pfSense GUI
    2. Click Status
    3. Click System Logs
    4. Click Settings
    5. Scroll down to Remote Logging Options and check the box to Enable Remote Logging
    6. Select an appropriate Source Address (usually the same subnet as the Huntress Agent enabled for syslog collection)
    7. Set IP Protocol to IPv4
    8. Add the Internal IP address of the Huntress Agent in the format x.x.x.x:514
    9. In the Remote Syslog Contents section, check the following boxes:
      • System
      • Firewall
      • DNS
      • DHCP
      • General Auth
      • Captive Portal
      • NTP
  2. Configure Global Log Settings
    1. Click Status
    2. Click System Logs
    3. Click Settings
    4. Set the Log Message Format to syslog (RFC 5424)
    5. Find the following options and ensure they are checked:
      • Log Packets from Default Block Rules
      • Log Packets from Block Bogon Network Rules
      • Log Packets from Block Private Network Rules
      • Log Configuration Changes
    6. Find the following options and ensure they are unchecked:
      • Log Packets from Default Pass Rule
      • Web Server Log 
    7. Click Save
  1.  

Related articles