Skip to main content


pfSense is an open source firewall solution. This topic describes how to configure pfSense to send system logs to via Filebeat running on a dedicated server.

Before you begin, you'll need:

  • pfSense installed and configured on your machine
  • an active account with
  • Filebeat installed on your machine
  • Root priveleges on your machines
Configure pfSense to send syslog notifications to a remote Syslog server running Filebeat
  1. On your Pfsense firewall web interface, go to Status > System logs > Setting. Status options

  2. On the Settings tab, locate the General Logging Options area and enable the following configuration:

    • Log message format - syslog (RFC 5424, with RFC 3339 microsecond-precision timestamps) General logging
  3. On the Settings tab, locate the Remote Logging Options area and enable the following configuration:

    • Enable Remote Logging - Yes
    • Source Address - Any
    • IP Protocol - IPV4
    • Remote log servers - <<ADDRESS-OF-YOUR-FILEBEAT-SERVER>>:514. This is the address of your dedicated server running Filebeat.
    • Remote Syslog Content - Everything Remote logging

By default, syslog will be forwarded over port 514. Feel free to adjust this, based on your preference or availability, but be sure to note any change to this port in the Filebeat configuration.

Download the public certificate to your credentials server

For HTTPS shipping, download the public certificate to your certificate authority folder.

sudo curl --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt
Configure Filebeat

Filebeat requires a file extension specified for the log input.

  1. Paste the following into the inputs section of the Filebeat configuration file:

    - type: udp
    max_message_size: 10MiB
    logzio_codec: plain
    # Your account token. You can find your token at
    token: <<LOG-SHIPPING-TOKEN>>
    type: pfsense
    fields_under_root: true
    encoding: utf-8
    ignore_older: 3h
    filebeat.registry.path: /var/lib/filebeat
    - rename:
    - from: "agent"
    to: "filebeat_agent"
    ignore_missing: true
    - rename:
    - from: "log.file.path"
    to: "source"
    ignore_missing: true
    hosts: ["<<LISTENER-HOST>>:5015"]
    certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']
    • Replace <<ADDRESS-OF-YOUR-FILEBEAT-SERVER>> with the address of your server running Filebeat.
    • Your log shipping token directs the data securely to your Log Management account. The default token is auto-populated in the examples when you're logged into the app as an Admin. Manage your tokens.
    • Replace <<LISTENER-HOST>> with the host for your region. For example, if your account is hosted on AWS US East, or if hosted on Azure West Europe.
  2. Run Filebeat with the new configuration.

Check for your logs

Give your logs some time to get from your system to ours, and then open Open Search Dashboards. You can filter for data of type pfsense to see the incoming pfSense logs.

If you still don't see your logs, see Filebeat troubleshooting.