Recently, I had to enable logging for several firewall rules on a pfSense box, of course this was going to result in an increase in the number of logs and possibly fill the 4GB compact flash card pfSense is installed on.
Fortunately pfSense makes it very easy to send logs over to a remote syslog server, in my case the remote syslog server is a Windows system running Kiwi Syslog Server as a service.
Note: pfSense outputs all logs in the syslog standard.
Asides from preventing the logs from using all the available space in the firewall, its good practice to centralize all logs into a single system. Its easier than having to access each network device to view the logs the contain.
Install and configure the Syslog server
First you need to download Kiwi Syslog Server from its home page at Kiwisyslog.com, you can choose between the paid version (only $245 USD) or the Free version. Registration is necessary in order to access either version. The paid version comes with a web interface for anywhere access, to name just a few advantages of the paid version.
Once the download is complete you will notice two .msi files and one .exe only install Kiwi_Syslog_Server_9.1.0.setup this is the file we want to start the syslog server installation.
Agree with the END USER LICENSE AGREEMENT.
Now you get to decide whether the Syslog server should run as a Service or an Application. If the Syslog server is supposed to run 24/7 then you want to choose Install Kiwi Syslog Server a Service , otherwise Install Kiwi Syslog as an Application will be dependent on the user login in. Click on Next when done.
You need to be an Administrator in order to install the service. My account is part of the administrator group, so I am using The LocalSystem Account. Click on Next when done.
If you are installing the paid version of Kiwi Syslog Server then by all mean install the web GUI, free versions do not come the web access. I choose not to install. Click on Next when done.
This window provides mainly optional components to install.
Go with the defaults on this one.
Click on Finish and wait for Kiwi Syslog to be launched. However, because we haven’t configure pfSense to Syslog to a remote server Kiwi Server will display nothing. You might not want to launch at all.
Let’s move over to the pfSense side.
Log on to the pfSense administration page and on the menu bar at the top of the page hover the mouse over Status and from the drop down menu click on System logs.
Once you are in the System logs page click on the Settings tab.
On this section of the page you want to check the box belonging to Enable syslog’ing to remote syslog server. Enter the IP address of the remote server, also decide what information will be sent to the server by checking the necessary boxes according to your needs. I only need the “Firewall events” to be sent. Click on Save.
To start viewing the logs start the console by going to Start > All Programs > SolarWinds Kiwi Syslog Server > Kiwi Syslog Server Console
You should see the output from pfSense almost immediately.
As you can see the set-up was straight forward and simple to implement. On a future post I will cover Kiwi Syslog Server in depth. Thanks for reading.