pfSense is an open source firewall solution. This topic describes how to configure pfSense to send system logs to Logz.io via Filebeat running on a dedicated server.

Before you begin, you’ll need:

  • pfSense installed and configured on your machine
  • an active account with Logz.io
  • Filebeat 7 installed on your machine
  • Root priveleges on your machines
Configure pfSense to send syslog notifications to a remote Syslog server running Filebeat
  1. On your Pfsense firewall web interface, go to Status > System logs > Setting. Status options
  2. On the Settings tab, locate the General Logging Options area and enable the following configuration:

    • Log message format - syslog (RFC 5424, with RFC 3339 microsecond-precision timestamps) General logging
  3. On the Settings tab, locate the Remote Logging Options area and enable the following configuration:

    • Enable Remote Logging - Yes
    • Source Address - Any
    • IP Protocol - IPV4
    • Remote log servers - <<ADDRESS-OF-YOUR-FILEBEAT-SERVER>>:514. This is the address of your dedicated server running Filebeat.
    • Remote Syslog Contents - Everything Remote logging

By default, syslog will be forwarded over port 514. Feel free to adjust this, based on your preference or availability, but be sure to note any change to this port in the Filebeat configuration.

Download the Logz.io public certificate to your credentials server

For HTTPS shipping, download the Logz.io public certificate to your certificate authority folder.

sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/AAACertificateServices.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt
Configure Filebeat
  1. Paste the following into the inputs section of the Filebeat configuration file:

    filebeat.inputs:
    - type: udp
      max_message_size: 10MiB
      host: "<<ADDRESS-OF-YOUR-FILEBEAT-SERVER>>:514"
      fields:
        logzio_codec: plain
        # Your Logz.io account token. You can find your token at
        #  https://app.logz.io/#/dashboard/settings/manage-accounts
        token: <<LOG-SHIPPING-TOKEN>>
        type: pfsense
      fields_under_root: true
      encoding: utf-8
      ignore_older: 3h
    filebeat.registry.path: /var/lib/filebeat
    processors:
    - rename:
        fields:
        - from: "agent"
          to: "filebeat_agent"
        ignore_missing: true
    - rename:
        fields:
        - from: "log.file.path"
          to: "source"
        ignore_missing: true
    output.logstash:
      hosts: ["<<LISTENER-HOST>>:5015"]
      ssl:
        certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']
    
    • Replace <<ADDRESS-OF-YOUR-FILEBEAT-SERVER>> with the address of your server running Filebeat.
    • Your Logz.io log shipping token directs the data securely to your Logz.io Log Management account. The default token is auto-populated in the examples when you’re logged into the Logz.io app as an Admin. Manage your tokens.
    • Use the listener URL specific to the region where your Logz.io account is hosted. Click to look up your listener URL.
  2. Run Filebeat with the new configuration.

Check Logz.io for your logs

Give your logs some time to get from your system to ours, and then open Kibana. You can filter for data of type pfsense to see the incoming pfSense logs.

If you still don’t see your data, see log shipping troubleshooting.