Skip to main content

Syslog - pfSense

Jason Phelps
  • Updated

TEAM: Huntress Managed Security Information and Event Management (SIEM)
PRODUCT: Firewall Syslog
ENVIRONMENT: pfSense
SUMMARY: Configuration Guide for pfSense firewalls

This page only covers the device-specific configuration, you'll still need to read Huntress Managed SIEM Syslog Guide to complete the Huntress Managed SIEM setup as well as opening a port in Microsoft Defender Firewall.

Vendor Information

Vendor

pfSense

Supported Model Name/Number

N/A

Supported Software Version(s)

CE - 2.7.1 and higher

Plus - 23.09.1 and higher

Collection Method

Syslog

Provider Name

pfSense

Additional Information

https://docs.netgate.com/pfsense/en/latest/monitoring/logs/remote.html

https://docs.netgate.com/pfsense/en/latest/monitoring/logs/settings.html

https://docs.netgate.com/pfsense/en/latest/monitoring/logs/index.html

 

 

Please note that because of the way pfSense combines multiple logs it can take considerable time for the syslog to change from "Syslog-Generic" to "Syslog-pfSense". If the log type doesn't change over within 24 hours please contact us support@huntress.com

 

Device Configuration Checklist

  1. Configure Remote Logging

    1. Log into the pfSense GUI

    2. Click Status
    3. Click System Logs
    4. Click Settings
    5. Scroll down to Remote Logging Options and check the box to Enable Remote Logging
    6. Select an appropriate Source Address (usually the same subnet as the Huntress Agent enabled for syslog collection)
    7. Set IP Protocol to IPv4
    8. Add the IP address of the Huntress Agent in the format x.x.x.x:514
    9. In the Remote Syslog Contents section, check the following boxes:
      • System
      • Firewall
      • DNS
      • DHCP
      • General Auth
      • Captive Portal
      • NTP
  2. Configure Global Log Settings
    1. Click Status
    2. Click System Logs
    3. Click Settings
    4. Set the Log Message Format to syslog (RFC 5424)
    5. Find the following options and ensure they are checked:
      • Log Packets from Default Block Rules
      • Log Packets from Block Bogon Network Rules
      • Log Packets from Block Private Network Rules
      • Log Configuration Changes
    6. Find the following options and ensure they are unchecked:
      • Log Packets from Default Pass Rule
      • Web Server Log 
    7. Click Save
        1.  

Related articles