Documentation
pfSense Documentation - Configuration and Administration Guides
pfSense Monitoring and Diagnostics - Graphs and Logs
pfSense System Logs - Journals and Remote Syslog

pfSense System Logs - Journals and Remote Syslog

pfSense maintains detailed event logs for all system components - from firewall and routing to VPN and DHCP/DNS services. Logs are stored locally in the /var/log/ directory as plain text files with periodic rotation. Starting with pfSense Plus 21.02 and CE 2.5.0, the system uses plain text log files with rotation and compression. Earlier versions used the binary clog (circular log) format, which had flexibility limitations and was susceptible to corruption.

Log viewing is performed through Status > System Logs. Each log category is presented on a separate tab, simplifying navigation and reducing information noise.

Log Categories

pfSense separates logs by category, each accessible on its own tab:

CategoryContent
SystemGeneral system events: service start/stop, updates, kernel errors
FirewallRecords of passed and blocked packets (primary security log)
DHCPDHCP server events: lease assignments, requests, denials
DNS ResolverUnbound DNS resolver queries and responses
DNS ForwarderDNS Forwarder (dnsmasq) queries
AuthUser authentication: web interface login, SSH, Captive Portal
IPsecIPsec tunnel establishment and teardown, negotiation errors
OpenVPNOpenVPN client connections and disconnections, certificate errors
WireGuardWireGuard VPN events (when configured)
L2TPL2TP VPN connections
PPPPPP connection events (PPPoE, PPTP)
GatewayGateway monitoring: status changes, link loss, recovery
RoutingRouting table changes, dynamic routing protocol events
NTPTime synchronization: offset, server selection
Captive PortalCaptive Portal authentication and activity
WirelessWireless interface events
PackagesPackage installation and update events

Firewall Log

The firewall log is the most critical data source for security analysis. Each entry contains detailed information about the firewall decision for a specific packet.

filterlog Record Format

Firewall entries are generated by the filterlog component and contain the following fields:

FieldDescriptionExample
Rule numberRule number that processed the packet5
Sub rule numberSub-rule number (for NAT)0
AnchorAnchor binding (for plugins)-
TrackerUnique rule identifier1000000103
InterfaceInterface where the packet was processedem0
ReasonReason: match or statematch
ActionAction: pass or blockblock
DirectionDirection: in or outin
IP versionIP version: 4 or 64
ProtocolProtocol: TCP, UDP, ICMP, etc.TCP
Source IPSource IP address203.0.113.50
Source portSource port54321
Destination IPDestination IP address192.168.1.1
Destination portDestination port443
TCP flagsTCP flags (for TCP)S (SYN)
LengthPacket length60

Enabling Rule Logging

By default, pfSense logs only blocked packets. To enable logging for passed packets:

  1. Navigate to Firewall > Rules on the desired interface tab
  2. Open the rule for editing
  3. In the Extra Options section, check Log packets that are handled by this rule
  4. Click Save and Apply Changes

Warning:

Enabling logging for high-traffic rules (such as an Allow All rule on LAN) creates significant system load and rapidly fills logs. Only enable logging for rules that require monitoring.

Firewall Log Filtering

The Firewall tab in Status > System Logs provides advanced filters:

  • Interface - filter by interface (WAN, LAN, OPTx)
  • Action - Pass, Block, or Reject
  • Direction - In or Out
  • Protocol - TCP, UDP, ICMP, and others
  • Source / Destination IP - filter by addresses
  • Source / Destination Port - filter by ports

Viewing and Filtering Logs

Advanced Log Filter

The Advanced Log Filter panel is available on each log tab and supports the following criteria:

  • Message - text search or regular expression matching against entry content
  • Time - search by timestamp
  • Process - filter by process or service name
  • PID - filter by process identifier
  • Quantity - limit the number of displayed entries

Command-Line Log Access

Logs are accessible directly through the filesystem:

# View firewall log in real time
tail -f /var/log/filter.log

# Search for blocked packets from a specific IP
grep "block" /var/log/filter.log | grep "203.0.113.50"

# View system log
tail -100 /var/log/system.log

Log Settings

General log parameters are configured via Status > System Logs > Settings:

Display Options

  • Forward/Reverse Display - entry display order (newest first or last)
  • GUI Log Entries - number of entries displayed in the web interface (default 500)
  • Log Firewall Default Blocks - log packets blocked by the implicit deny rule
  • Log Packets from Default Pass Rules - log packets passed by automatic rules (anti-lockout, private networks)
  • Log Packets from Default Block Rules - log packets from bogon networks and reserved addresses

Rotation and Retention

  • Log Rotation Size - maximum log file size before rotation (in bytes)
  • Log Retention Count - number of rotated copies to retain
  • Log Compression - compression of rotated files (enabled by default, except on ZFS)

On standard installations (no RAM disk), logs persist across reboots. When using a RAM disk for /var, the system performs backup and restoration of logs during clean shutdown and startup sequences.

Remote Syslog Configuration

For long-term storage and centralized log analysis, pfSense supports forwarding logs to remote syslog servers. Configuration is performed via Status > System Logs > Settings in the Remote Logging Options section.

Connection Parameters

  • Enable Remote Logging - activate log forwarding to a remote server
  • Source Address - IP address or interface used as the syslog packet source. By default, the address of the interface through which the route to the syslog server passes is used
  • IP Protocol - transport protocol selection: IPv4 or IPv6
  • Remote Log Servers - up to three syslog server addresses in ip:port format (default port 514)

Transport Protocol

pfSense supports syslog transmission over the following protocols:

ProtocolPortCharacteristics
UDP514Default. Fast, no delivery guarantee
TCP514Guaranteed delivery, but potential delay when the server is unreachable

Warning:

Syslog transmission over TLS (encrypted channel) is not supported in the standard pfSense configuration. To protect syslog traffic, use a VPN tunnel between pfSense and the syslog server, or install the syslog-ng package.

Category Selection for Forwarding

In the Remote Syslog Contents section, select the log categories to forward to the remote server:

  • Everything - all logs (generates significant traffic)
  • System Events - system events
  • Firewall Events - firewall events (most commonly required category for SIEM)
  • DNS Events - DNS queries and responses
  • DHCP Events - DHCP events
  • Auth Events - authentication events
  • VPN Events - IPsec, OpenVPN, WireGuard events
  • Gateway Events - gateway monitoring events
  • Routing Events - routing events

Message Format

pfSense sends syslog messages in BSD format (RFC 3164). This format is supported by most syslog servers and SIEM systems. The format includes:

<priority>timestamp hostname process[pid]: message

Example firewall entry:

<134>Apr 06 10:15:23 pfsense filterlog[12345]: 5,,,1000000103,em0,match,block,in,4,0x0,,64,12345,0,none,6,tcp,60,203.0.113.50,192.168.1.1,54321,443,0,S,12345678,,65535,,mss;nop;wscale

SIEM Integration

Wazuh

pfSense integrates with Wazuh SIEM through the remote syslog mechanism. Wazuh includes built-in decoders and rules for parsing pfSense logs, including filterlog entries. Detailed instructions are available in the pfSense Wazuh Integration section.

Typical integration architecture:

pfSense (syslog UDP/TCP) --> Wazuh Manager (ossec-remoted) --> Wazuh Indexer

Graylog

To integrate with Graylog:

  1. Create a Syslog UDP or TCP Input in Graylog on a dedicated port
  2. Configure pfSense to forward logs to the Graylog IP:port
  3. Create extractors for parsing filterlog fields

ELK Stack (Elasticsearch, Logstash, Kibana)

To integrate with ELK Stack:

  1. Configure Logstash with a syslog input module
  2. Create a Logstash filter for parsing the pfSense filterlog format
  3. Point pfSense logs to the Logstash address

An alternative approach is using Filebeat with the pfSense module (available starting with Filebeat 7.x).

Circular Log Behavior

In current pfSense versions (Plus 21.02+, CE 2.5.0+), logs are stored as plain text files with rotation:

  • When a file reaches maximum size, it is renamed with a .0 suffix; the previous .0 becomes .1, and so on
  • Rotated files are compressed (except on ZFS)
  • The number of retained copies is limited by the Log Retention Count parameter
  • The oldest copies are deleted automatically

In legacy versions, the clog (circular log) format was used, where new entries overwrote old ones in a fixed-size circular buffer. This format did not support compression and was susceptible to corruption during failures.

Troubleshooting

Logs Not Forwarding to Remote Syslog

  1. Verify that Enable Remote Logging is checked in Status > System Logs > Settings
  2. Confirm the syslog server address and port are correct
  3. Ensure a firewall rule permits outbound syslog traffic (UDP/TCP 514) from the pfSense interface
  4. Test server reachability via Diagnostics > Ping with the server IP
  5. On the syslog server side, confirm the service is listening on the specified port and accepting connections from the pfSense IP

Logs Filling Up Too Quickly

  • Disable logging for high-traffic rules
  • Uncheck Log Packets from Default Block Rules to reduce the volume of bogon block entries
  • Increase the Log Rotation Size value
  • Increase the Log Retention Count if longer history retention is needed

Log Loss on Reboot

When using a RAM disk for /var:

  • Verify that periodic log saving to persistent storage is enabled
  • Use remote syslog to guarantee retention of critical events
  • Consider disabling the RAM disk for systems that require local log preservation

Related Sections

Last updated on
pfSense Monitoring Graphs - Traffic and Resources