viewing pfSense 2.3 syslog in ELSA

[Walter White]

My setup
Running SO 14.04.5.2 as a Virtualbox guest on a Linux MINT host.

I am forwarding my pfSense 2.3 syslog over to SO and have confirmed that they are being received on port 514 by running tcpdump.

Now I am trying to view them in ELSA but the only data that I see if from the loopback (127.0.0.1). What do I need to do in ELSA to view the correct interface (eth0)?

[Wes]

Walter,

Did you make sure to run so-allow to allow traffic to port 514 from your pfSense box?

https://github.com/Security-Onion-Solutions/security-onion/wiki/Firewall#so-allow

Thanks,
Wes

[Walter White]

Yes, I actually opened both UDP/TCP to receive from anywhere
Status: active

To Action From
-- ------ ----
22/tcp ALLOW Anywhere
514/udp ALLOW Anywhere
514/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
514/udp (v6) ALLOW Anywhere (v6)
514/tcp (v6) ALLOW Anywhere (v6)

[Wes]

Walter,

Do you see the source IP if you click the Host Logs-->Syslog-NG (Host) query on the left side of the screen in ELSA?

Thanks,
Wes

[Walter White]

No, I only see localhost 127.0.0.1

[Wes]

On Sunday, March 5, 2017 at 1:53:24 PM UTC-5, Walter White wrote:
> No, I only see localhost 127.0.0.1

Walter,

The following may be helpful:

https://groups.google.com/d/msg/security-onion/SAOxU-zFKhA/WftQFzQm0NgJ

https://web.archive.org/web/20160613045822/http://www.securitygrit.com/2013/03/pfsense-into-elsa.html

Thanks,
Wes

[Walter White]

Are those links still valid? I'm on pfSense 2.3 and I thought the parsing issue was resolved as of v2.2 - https://doc.pfsense.org/index.php/Filter_Log_Format_for_pfSense_2.2

[Wes]

On Sunday, March 5, 2017 at 2:40:23 PM UTC-5, Walter White wrote:
> Are those links still valid? I'm on pfSense 2.3 and I thought the parsing issue was resolved as of v2.2 - https://doc.pfsense.org/index.php/Filter_Log_Format_for_pfSense_2.2

Probably not -- apologies.

You could also try (temporarily) setting another destination for syslog in syslog-ng.conf to see if your syslog sent from your pfsense box gets written there:

From https://groups.google.com/d/msg/security-onion/bw67Y82l_V0/2xexRtREDgAJ :

"If you want to independently archive and inspect all the the raw syslog records coming from your network, you will need to configure SO's syslog-ng to write them all to a text file by adding something like this to /etc/syslog-ng/syslog-ng.conf:

destination d_network_syslog { file("/var/log/network_syslog.log"); };
log { source(s_network); destination(d_syslog_network); };"

Afterwards, restart syslog-ng

service syslog-ng restart

Also, please attach the output of sostat-redacted for the affected Security Onion box, attaching as a plain text file, or using a service like Pastebin.com

Thanks,
Wes

[Walter White]

I'll look into your suggestions when I have a chance. In the meantime here is the attachment. Thanks for your help.

[Walter White]

I added the following to syslog-ng.conf at the end of the defined destinations.

# Write to txt

destination d_network_syslog { file("/var/log/network_syslog.log"); };

log { source(s_network); destination(d_network_syslog); };"

--------------------------------------------------------------------------------

I restarted syslog-ng and everything comes up fine. Ran tcpdump and can see pfSense data. Nothing is writing to "/var/log/network_syslog.log"

[Wes]

Walter,

Have you tried comparing to a fresh install? Have you tried forwarding syslog from anywhere else?

Thanks,
Wes

[Heisenberg1977]

This was a fresh SO build for my home lab that I am using for malware analysis. As a side project I figured that I would try to use ELSA as a remote syslog server to onboard my pfSense logs. My next approach will be to spin up a VM to see if I have any better luck with Graylog. Based on the results I will revisit this at some point.