Using a Raspberry pi as a Syslog Server for a (pfsense) firewall

I was trying to find a good reason to buy the well-known raspberry pi, apart from the usual ones, and I decided that it would be ideal to make it a syslog server for my home firewall (running on pfsense). No grahpics required, not significant cpu-power or memory requirements, etc, some just storage for storing text logs.


As an OS, I decided to use moebius linux, a Raspbian based and consequently, Debian based one, just because it is minimalistic, as a syslog server should be.


After copying the image to a 2GB SD card, it seems to be more than enough, (for installation instructions please check here), login into it (using ssh of course), configuring it (using moebius.config or moebius.config --normal), updating it (apt-get update and then apt-get upgrade, as in any Debian-based system), and finally, restarting it, it's now time to tailor it according to our needs.


First, create your user:


useradd myuser -d /home/myuser -m -s /bin/bash


Configure myuser's password


passwd myuser


Of course, do not forget to change your root's password too, if you haven't already done it.


Now, it's time for some hardening.


First, let's harden ssh. Moebius does not use OpenSSH, but Dropbear (it saves more than 10 MBytes of RAM):


vi /etc/default/dropbear


Add the following lines:

    DROPBEAR_PORT=45323       #the TCP port that your Dropbear server will listen on
    DROPBEAR_EXTRA_ARGS="-w"  #Disallow root logins


Restart the service

/etc/init.d/dropbear restart


Now, we'll add the required software / packages. First of all, install iptables, to use them as a host firewall to our syslog server:


apt-get install iptables


Assuming that your SOHO firewall (the logs of which you want to store into the syslog server) has an IP of and your PC from where you access the raspberry has an IP of, let's configure the iptables to accept the required connections only by them (of course, do the following as root):


iptables -I INPUT 1 -p udp --src --dport 514 -j ACCEPT    #to accept syslog connections from your SOHO firewall
iptables -I INPUT 2 -p tcp --src --dport 45323 -m state --state NEW -j ACCEPT   #to accept ssh connections from your pc
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -I INPUT 3 --src -p icmp -m icmp --icmp-type 8 -j ACCEPT   #to check from your PC whether raspberry is alive
iptables -P INPUT DROP     #Default dropping policy

iptables-save > /etc/iptables.conf
echo '#!/bin/bash' > /etc/network/if-up.d/iptables
echo '/sbin/iptables-restore < /etc/iptables.conf' >> /etc/network/if-up.d/iptables
chmod +x /etc/network/if-up.d/iptables


Moebius uses the inetutils-syslogd software. Uninstall it, for our purposes we shall use syslog-ng:


apt-get remove inetutils-syslogd

apt-get install syslog-ng


Now, let's configure syslog-ng:


vi /etc/syslog-ng/syslog-ng.conf

Go at #Sources and comment internal(), as following:

        source s_src {
        #      internal();


Now, add the following lines:

source s_net { udp(ip( port(514)); }; # will bind to all interfaces on your syslog server.
destination pfsense { file(“/var/log/pfsense.log”); };
log { source(s_net); destination(pfsense); };


Exit the configuration file and start the service:


service syslog-ng start


Create the corresponding log file:


touch /var/log/pfsense.log


Almost done. Time to configure pfsense to send the logs to your brand-new minimalistic syslog server. At the web interface of pfsense, go to:


Status -> System Logs -> Remote Logging Options


Check Send log messages to remote syslog server


Enter your syslog server's IP at: Remote Syslog Servers       Server 1

At the Remote Syslog Contents  enable (tick) just the Firewall events (this is what we are interested in).


Press the Save button below and you are all set.


You'll find your logs at /var/log/pfsense.log . If you want to check them very quickly, just run:


cat pfsense.log | grep -v match | grep -v From | grep \> | awk -F " " '{print $6 " > " $8 " "$9 " " $10}'


You should see sth like: > Flags [S], > Flags [S], > Flags [S], > UDP, length > UDP, length > Flags [S], > UDP, length > Flags [S], > UDP, length > Flags [S], > UDP, length > Flags [S], > Flags [S], > Flags [S], > Flags [S], > Flags [S], > Flags [S], > Flags [S], > Flags [S], > Flags [S], > UDP, length > UDP, length > Flags [S], > Flags [S], > Flags [S], > Flags [S], > Flags [S], > Flags [S], > Flags [S], > Flags [S], > Flags [S], > UDP, length > UDP, length > UDP, length