Netgate SG-1000 microFirewall

Author Topic: Configure syslog-ng to stream multiple individual log files not working  (Read 135 times)

0 Members and 1 Guest are viewing this topic.

Offline user12345

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
I've installed the syslog-ng package v1.15 on pfsense 2.4.2p1.  I'm trying to send a few log files (DNSBL, Firewal, Squid/Squidguard, suricata) from pfsense local filesystem to a unique remote destination IP:PORT per file src.  Problem I'm seeing is only one of the files (DNSBL) is streamed to all 5 destinations instead of each dst having a unique src file being sent.  The configuration has what appears to be valid but something isn't right.  I've added the screenshot from the web UI as well as the output of the syslog-ng.conf.

PackageServices: Syslog-ng AdvancedAdvanced

Object Type   Object Name   Description
destination   dst_squidGuard   Destination for squidGuard Block Log   
destination   dst_Suricata   Destination for Suricata to Logstash   
destination   dst_Squid   Destination for Squid Proxy Access Log   
destination   dst_Firewall   Destination for Firewall Log   
destination   dst_DNSBL   Destination for DNSBL Alert Log   
destination   _DEFAULT      
log   log_Suricata   Log Line for Suricata   
log   log_squidGuard   Log Line for squidGuard Block Log   
log   log_Squid   Log Line for Squid Proxy Access Log   
log   log_DNSBL   Log Line for DNSBL   
log   log_Firewall   Log Line for Firewall   
log   _DEFAULT      
options   global   Global Options for Syslog-NG   
source   src_Squid   Source for Squid Proxy Access Log   
source   src_Suricata   Source for Suricata eve.json file   
source   src_DNSBL   Source for DNSBL Alert Log   
source   src_squidGuard   Source for squidGuard Block Log   
source   src_Firewall   Source for Firewall Log   
source   _DEFAULT      

Content of /usr/local/etc/syslog-ng.conf:
destination dst_squidGuard { tcp("x.x.x.x" port(2003)); };
destination dst_Suricata { tcp("x.x.x.x" port(1999)); };
destination dst_Squid { tcp("x.x.x.x" port(2000)); };
destination dst_Firewall { tcp("x.x.x.x" port(2002)); };
destination dst_DNSBL { tcp("x.x.x.x" port(2001)); };
destination _DEFAULT { file("/var/syslog-ng/default.log"); };
log { source(src_Suricata); destination(dst_Suricata); flags(final);};
log { source(src_squidGuard); destination(dst_squidGuard); flags(final);};
log { source(src_Squid); destination(dst_Squid); flags(final);};
log { source(src_DNSBL); destination(dst_DNSBL); flags(final);};
log { source(src_Firewall); destination(dst_Firewall); flags(final);};
log { source(_DEFAULT); destination(_DEFAULT); };
options { use_dns(no); flush_lines(10000); log_fifo_size(1024); threaded(yes); };
source src_Squid { file("/var/log/squid/access.log" multi-line-mode(indented)); };
source src_Suricata { file("/var/log/suricata/suricata_igb032838/eve.json" multi-line-mode(indented)); };
source src_DNSBL { file("/var/log/pfblockerng/dnsbl.log" multi-line-mode(indented)); };
source src_squidGuard { file("/var/squidGuard/log/block.log" multi-line-mode (indented)); };
source src_Firewall { file("/var/log/filter.log" multi-line-mode(indented)); };
source _DEFAULT { internal(); syslog(transport(tcp) port(5140) ip(x.x.x.y)); };

Feel like I'm missing something basic or stupid but don't see it.  Input appreciated. 

Developer Question:
1.  Shouldn't the config file build in the proper order?  options, src, dst, log for format.

Offline user12345

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Configure syslog-ng to stream multiple individual log files not working
« Reply #1 on: February 04, 2018, 01:36:30 pm »
Anyone have any inut on this?  I've been fighting this for a couple of weeks.  Not seeing the problem.  Also manually re-ordered the lines to be options, src, dst, log but no change in behavior.