pfSense stores logs in multiple locations depending on the component generating them. The primary log storage follows the BSD system convention with some pfSense-specific modifications.
/var/log/system.log # Core system logs /var/log/filter.log # Firewall filtering logs /var/log/resolver.log # DNS resolver logs /var/log/ssh.log # SSH access logs /var/log/vpn.log # VPN connection logs /var/log/nginx/access.log # Web interface access
The most convenient way for most administrators is through the pfSense web GUI:
- Navigate to Status > System Logs
- Select the specific log tab (System, Firewall, DHCP, etc.)
- Use the filter options to narrow down entries
For developers needing programmatic access, these CLI commands are useful:
# View system logs with tail
tail -f /var/log/system.log
# Search firewall logs
grep "Block" /var/log/filter.log
# Parse logs with awk
awk '/ppp/ {print $5,$6}' /var/log/system.log
pfSense uses newsyslog for log rotation. Configuration is in:
/etc/newsyslog.conf /etc/newsyslog.conf.d/
Example rotation configuration:
/var/log/system.log 644 7 * @T00 Z /var/log/filter.log 644 3 100 * J
To centralize logs, configure remote syslog in pfSense:
# Under Services > Syslog 1. Check "Enable Remote Logging" 2. Enter syslog server IP 3. Select facilities to forward
Here's a simple Python script to parse pfSense firewall logs:
import re
from collections import Counter
def parse_filter_log(log_path):
pattern = r'(\w+\s+\d+\s+\d+:\d+:\d+)\s+\S+\s+filterlog$$\d+$$:\s+\d+,,\d+,.*?,(.*?),.*?,(.*?),.*?,(.*?),(.*?),'
stats = Counter()
with open(log_path) as f:
for line in f:
match = re.search(pattern, line)
if match:
timestamp, action, proto, src, dst = match.groups()
stats[(action, proto)] += 1
return stats
pfSense stores logs in several locations depending on the component:
/var/log/system.log # Main system logs /var/log/filter.log # Firewall filter logs /var/log/ipsec.log # VPN connection logs /var/log/dhcpd.log # DHCP server logs /var/log/ntpd.log # NTP service logs /var/log/packages/ # Directory for package-specific logs
The most convenient way for administrators is through the GUI:
Status > System Logs # Core system logs Status > DHCP Leases # DHCP activity Status > IPsec # VPN connections Status > Captive Portal # Authentication logs
For developers needing programmatic access via SSH:
# View firewall logs in real-time tail -f /var/log/filter.log # Search for specific patterns in logs grep -i "error" /var/log/system.log # Rotate and compress logs (requires package) logrotate -f /etc/newsyslog.conf
When using packages like Snort or Suricata, logs are typically stored in:
/var/log/snort/ # IDS/IPS logs /var/log/suricata/ # Alternative IDS /var/log/nginx/ # Web server logs
Example Python script to collect and parse pfSense logs:
import paramiko
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect('pfsense_ip', username='admin', password='your_password')
stdin, stdout, stderr = ssh.exec_command('cat /var/log/system.log')
for line in stdout:
if "error" in line.lower():
print(line.strip())
ssh.close()
The default rotation settings in /etc/newsyslog.conf:
/var/log/system.log 644 7 * @T00 Z /var/log/filter.log 644 7 1000 * Z /var/log/dhcpd.log 644 7 1000 * Z
If logs aren't appearing as expected:
# Verify logging is enabled pfctl -vvsr | grep logging # Check syslogd status ps aux | grep syslogd # Increase log verbosity sysctl -w net.inet.ip.fw.verbose=2