pfSense is an open source firewall solution. This topic describes how to configure pfSense to send system logs to Logz.io via Filebeat running on a dedicated server.
Before you begin, you’ll need:
- pfSense installed and configured on your machine
- an active account with Logz.io
- Filebeat installed on your machine
- Root priveleges on your machines
Configure pfSense to send syslog notifications to a remote Syslog server running Filebeat
- On your Pfsense firewall web interface, go to Status > System logs > Setting.
-
On the Settings tab, locate the General Logging Options area and enable the following configuration:
- Log message format - syslog (RFC 5424, with RFC 3339 microsecond-precision timestamps)
-
On the Settings tab, locate the Remote Logging Options area and enable the following configuration:
- Enable Remote Logging - Yes
- Source Address - Any
- IP Protocol - IPV4
- Remote log servers -
<<ADDRESS-OF-YOUR-FILEBEAT-SERVER>>
:514. This is the address of your dedicated server running Filebeat. - Remote Syslog Content - Everything
By default, syslog will be forwarded over port 514. Feel free to adjust this, based on your preference or availability, but be sure to note any change to this port in the Filebeat configuration.
Download the Logz.io public certificate to your credentials server
For HTTPS shipping, download the Logz.io public certificate to your certificate authority folder.
sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/AAACertificateServices.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt
Configure Filebeat
Filebeat requires a file extension specified for the log input.
-
Paste the following into the inputs section of the Filebeat configuration file:
filebeat.inputs: - type: udp max_message_size: 10MiB host: "<<ADDRESS-OF-YOUR-FILEBEAT-SERVER>>:514" fields: logzio_codec: plain # Your Logz.io account token. You can find your token at # https://app.logz.io/#/dashboard/settings/manage-accounts token: <<LOG-SHIPPING-TOKEN>> type: pfsense fields_under_root: true encoding: utf-8 ignore_older: 3h filebeat.registry.path: /var/lib/filebeat processors: - rename: fields: - from: "agent" to: "filebeat_agent" ignore_missing: true - rename: fields: - from: "log.file.path" to: "source" ignore_missing: true output.logstash: hosts: ["<<LISTENER-HOST>>:5015"] ssl: certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']
- Replace
<<ADDRESS-OF-YOUR-FILEBEAT-SERVER>>
with the address of your server running Filebeat. - Your Logz.io log shipping token directs the data securely to your Logz.io Log Management account. The default token is auto-populated in the examples when you’re logged into the Logz.io app as an Admin. Manage your tokens.
- Use the listener URL specific to the region where your Logz.io account is hosted. Click to look up your listener URL. The required port depends whether HTTP or HTTPS is used: HTTP = 8070, HTTPS = 8071.
- Replace
-
Run Filebeat with the new configuration.
Check Logz.io for your logs
Give your logs some time to get from your system to ours, and then open Open Search Dashboards. You can filter for data of type pfsense
to see the incoming pfSense logs.
If you still don’t see your logs, see Filebeat troubleshooting.