PFLOG and Syslog-NG

[mayers]

Can anyone direct me on how to forward pf firewall logs to syslog-ng thanks

 

[SirDice]

pflogd(8) directly writes to a log file, it doesn't use syslog to log. It writes raw pcap data to the log file.

       pflogd is a background daemon which reads packets logged	by pf(4) to  a
       pflog(4)	 interface,  normally pflog0, and writes the packets to	a log-
       file (normally /var/log/pflog) in tcpdump(1) binary format.  These logs
       can be reviewed later using the -r option of tcpdump(1),	hopefully  of-
       fline in	case there are bugs in the packet parsing code of tcpdump(1).

What kind of logging are you looking for?

 

[mayers]

I would like to send logs like for other daemons like haproxy, samba, unbound to syslog-ng and then archive them in the appropriate destination

 

[SirDice]

You were specifically asking for PF logging. My question was referring to that.

But haproxy is simple, for example:

        log /dev/log local2

See http://docs.haproxy.org/dev/configuration.html#log (Log forwarding)

Samba logs to one or more files, doesn't use syslog.

Configuring Logging on a Samba Server - SambaWiki

wiki.samba.org

Unbound:

       use-syslog: <yes or no>
              Sets Local-unbound to send log messages to the syslogd, using
              syslog(3).  The log facility LOG_DAEMON is used, with identity
              "local-unbound".  The logfile setting is overridden when
              use-syslog is turned on.  The default is to log to syslog.

See local-unbound.conf(5).

 

[mayers]

Wait I already register unbound, samba and haproxy ok!!! send to syslog-ng that redirects to
-specific file
-mariadb database
- smtp send email.

I would like to send pf logs to syslog-ng

I can't do this? Maybe using fluent-bit is it possible?

 

[SirDice]

I would like to send pf logs to syslog-ng

What exactly do you think those PF logs are? They are not messages, they are binary captures of the actual packets.

 

[mayers]

I would like to integrate them into my database where I store log messages. So I have to translate them for example with fluent-bit.?

I am not very expert I am trying to learn thank you very much for your help

 

[SirDice]

I am not very expert I am trying to learn

Yes, that's fine. That's why I was asking what you really wanted to log. On their own they are somewhat useless, they look like this (removed my own IP) if you read them with tcpdump(1):

10:10:36.557660 IP 165.22.221.215.34452 > a.b.c.d.22: Flags [S], seq 1420336892, win 64240, options [mss 1460, [|tcp]

Like I said, they are raw packet captures. They're not going to tell you much without the proper context.

These messages however are much more informing:

May 27 10:10:20 maelcum sshguard[2283]: Attack from "165.22.221.215" on service SSH with danger 10.
May 27 10:10:20 maelcum sshguard[2283]: Blocking "165.22.221.215/32" for 120 secs (5 attacks in 15 secs, after 1 abuses over 15 secs.)

Those logged packets are the result of sshguard(8) triggering a block for a specific IP. Those messages can be found in /var/log/auth.log because sshguard(8) uses syslog to send them.