Pfsense Logs Never show up in Security Onion #11335
Replies: 4 comments 6 replies
-
|
What kind of Security Onion installation did you perform (import, eval, standalone, etc.)? Are there any network devices between your Security Onion machine and your pfSense firewall that could be interfering with the port 514 traffic? If you run tcpdump on the Security Onion management interface, do you see the port 514 traffic coming from the pfSense firewall? |
Beta Was this translation helpful? Give feedback.
-
|
Hi Doug thansk for taking a look. Standalone. Not that I am aware of. I run tcpdump on the actual interface name of the sniffing interface as well as bond0 on the onion and tried sending over echo "<134>Test syslog message" | nc -u -w1 [SECURITY_ONION_IP] 514 from pfsense and another local machine but it shows no packets from the dumps. This is percuilar as I can run so-test fine and so-status shows all containers up and running. |
Beta Was this translation helpful? Give feedback.
-
As I mentioned above, please run tcpdump on the management interface (not the sniffing interface). If you run tcpdump on the management interface and don't see the pfSense syslog traffic there, then it's not a Security Onion problem but a problem elsewhere in your network. |
Beta Was this translation helpful? Give feedback.
-
|
In SOC Dashboards, do you see anything on the If not, do you get any results if you manually search for From your Security Onion command line, what is the output of the following? In the pfSense System Logs Settings, is What do you have checked in the |
Beta Was this translation helpful? Give feedback.
-
|
No I never have seen anything in the SOC Dashboards or Hunt for Firewall. As I stated originally yes they are in the BSD format I have confirmed that it says BSD (RFC 3164, default) specifically. I have everything checked in the remote syslog contents. If I manually search for filterlog I also get no results. |
Beta Was this translation helpful? Give feedback.
-
|
Have you checked /opt/so/log/ for additional clues? Specifically: |
Beta Was this translation helpful? Give feedback.
-
|
I have now and there is nothing indicating any error or explination for why the logs would not be translated to the dashboards. |
Beta Was this translation helpful? Give feedback.
-
|
Looking back at your iptables output, it appears that only 1 packet has hit the 514 rule: This seems really low. Are you sure that pfSense is configured correctly and nothing is interfering with firewall sending logs to your Security Onion box? Have you configured your pfSense firewall rules to log traffic that matches the rules? Are you sure that your pfSense firewall is seeing actual traffic that matches the firewall rules to generate filterlog logs? |
Beta Was this translation helpful? Give feedback.
-
|
@kgoode517 I'm not sure if this will help you, but I was running into the same issue and for some reason changing the "Source Address" under the Remote Logging Options to LAN worked for me. pfSense was trying to send the logs from the gateway address for the VLAN my Security Onion box is in. Hope that helps ya out.
|
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
I have tried this in both 2.3 and 2.4 and have never been able to achieve what was described here for my BSD pfsense logs. PfsenseSecurityOnionIntegration I am on the current version of pfsense+. This is back on a 2.3 onion. I have no error messages on the pfsense side and have verified the remote syslog option for my security onion on udp port 514 in the pfsense logging configuration I have run so-allow for syslog for the pfsense machine. What should I try next?
Beta Was this translation helpful? Give feedback.
All reactions