Skip to main content
All CollectionsConfiguration tutorials
How to configure pfSense for remote syslog servers
How to configure pfSense for remote syslog servers

How to Configure pfSense for Remote Syslog Servers

Gonzague Dambricourt avatar
Written by Gonzague Dambricourt
Updated over 2 months ago

pfSense, a powerful open-source firewall and router platform, includes robust logging capabilities. By default, pfSense stores logs locally, but for enhanced monitoring, compliance, or centralized log management, you may want to forward logs to a remote syslog server. This guide walks you through configuring pfSense to send its logs to a remote syslog server.


Why Use a Remote Syslog Server?

Centralized logging offers several advantages:

Enhanced Monitoring: Simplifies the correlation of logs from multiple devices.

Compliance: Meets regulatory requirements for secure and centralized log storage.

Data Redundancy: Protects logs in case of hardware failure on the pfSense device.

Ease of Analysis: Enables advanced analytics using tools like Graylog, ELK Stack, or Splunk.


Step-by-Step Configuration

Step 1: Create your location in LogCentral

Before configuring pfSense, ensure that you've created and enabled your location in LogCentral. You'll be given an IPv4 / IPv6 & port to which you should send point your pfSense router.

Step 2: Access the pfSense Web Interface

1. Log in to the pfSense web interface using your administrator credentials.

2. Navigate to Status > System Logs to confirm logs are being generated locally.


Step 3: Configure Remote Logging

1. Go to Status > System Logs > Settings.

2. Scroll down to the Remote Logging Options section.

3. Configure the following fields:

Enable Remote Logging: Check this box to activate remote logging.

Remote Log Servers: Enter the IP address or hostname of the remote syslog server, followed by the port number (e.g., 192.168.1.10:514).

Remote Syslog Contents: Select which log types you want to send to the remote server (e.g., Firewall, DHCP, VPN). Check only the necessary categories to avoid overwhelming your syslog server.

Remote Syslog Protocol: Choose between UDP (default, lightweight) or TCP (reliable, with better error handling). If your syslog server supports TLS, select TLS/TCP for secure transmission.

4. Click Save.


Step 4: Test Connectivity

After saving the configuration:

1. Ensure the syslog server is receiving logs. Use a command like tail -f /var/log/syslog on the syslog server to monitor incoming messages.

2. Generate events in pfSense, such as accessing a blocked site or restarting a service, to confirm logs are being forwarded.


Step 5: Fine-Tune Your Configuration

Adjust Log Retention: If your remote server supports retention policies, configure them to manage storage.

Use Log Filters: Reduce noise by selecting only critical log categories for forwarding.

Monitor Performance: High-volume logging might impact network or pfSense performance. Balance logging verbosity and resource usage.


Troubleshooting Tips

If you encounter issues:

Verify Connectivity: Check if pfSense can reach the syslog server using ping or telnet.

Firewall Rules: Ensure no firewall rules block traffic between pfSense and the syslog server on the specified port.

Review Logs: Look for errors in the pfSense logs under Status > System Logs > General.


Conclusion

Configuring pfSense to forward logs to a remote syslog server enhances your network’s logging and monitoring capabilities. By centralizing log data, you gain insights into network activity, improve security posture, and simplify compliance efforts. With proper setup and monitoring, this feature can become an integral part of your network management toolkit.

Did this answer your question?