pfSense Logging Configuration

Configure pfSense remote logging for SIEM integration (Wazuh, Splunk, etc.) via REST API v2.

API Endpoint

/api/v2/status/logs/settings

Method Description

GET

Retrieve current logging settings

PATCH

Update logging settings

Get Current Settings

dsource d000 dev/network
curl -ks "https://${PFSENSE_HOST}/api/v2/status/logs/settings" \
  -H "X-API-Key: ${PFSENSE_API_SECRET}" | jq .
Example response
{
  "code": 200,
  "status": "ok",
  "data": {
    "enableremotelogging": false,
    "ipprotocol": null,
    "sourceip": null,
    "remoteserver": null,
    "remoteserver2": null,
    "remoteserver3": null,
    "logall": null
  }
}

Enable Remote Syslog

Configure pfSense to send logs to a remote syslog server (e.g., Wazuh SIEM).

curl -ks "https://${PFSENSE_HOST}/api/v2/status/logs/settings" \
  -X PATCH \
  -H "X-API-Key: ${PFSENSE_API_SECRET}" \
  -H "Content-Type: application/json" \
  -d '{
    "enableremotelogging": true,
    "sourceip": "",
    "ipprotocol": "ipv4",
    "remoteserver": "10.50.1.120:514",
    "logall": true
  }' | jq .
Expected response
{
  "code": 200,
  "status": "ok",
  "response_id": "SUCCESS",
  "data": {
    "enableremotelogging": true,
    "remoteserver": "10.50.1.120:514",
    "logall": true
  }
}

Parameters

Parameter Type Description

enableremotelogging

boolean

Enable/disable remote syslog

sourceip

string

Source interface: "" (any), wan, lan, opt1-opt5, lo0

ipprotocol

string

IP version: ipv4 or ipv6

remoteserver

string

Primary syslog server: host:port (e.g., 10.50.1.120:514)

remoteserver2

string

Secondary syslog server (optional)

remoteserver3

string

Tertiary syslog server (optional)

logall

boolean

Send all log types to remote server

Selective Logging

Instead of logall: true, send specific log categories:

curl -ks "https://${PFSENSE_HOST}/api/v2/status/logs/settings" \
  -X PATCH \
  -H "X-API-Key: ${PFSENSE_API_SECRET}" \
  -H "Content-Type: application/json" \
  -d '{
    "enableremotelogging": true,
    "sourceip": "",
    "ipprotocol": "ipv4",
    "remoteserver": "10.50.1.120:514",
    "logall": false,
    "filter": true,
    "dhcp": true,
    "auth": true,
    "vpn": true,
    "system": true
  }' | jq .
Table 1. Log categories
Parameter Log Type

filter

Firewall filter logs

dhcp

DHCP server logs

auth

Authentication logs

portalauth

Captive portal logs

vpn

VPN (IPsec, OpenVPN) logs

dpinger

Gateway monitoring logs

hostapd

Wireless AP logs

system

System/general logs

resolver

DNS resolver logs

ppp

PPP/PPPoE logs

routing

Routing daemon logs

ntpd

NTP daemon logs

Disable Remote Logging

curl -ks "https://${PFSENSE_HOST}/api/v2/status/logs/settings" \
  -X PATCH \
  -H "X-API-Key: ${PFSENSE_API_SECRET}" \
  -H "Content-Type: application/json" \
  -d '{
    "enableremotelogging": false
  }' | jq .

Verify Syslog Delivery

On the receiving SIEM (e.g., Wazuh):

# Check if logs are arriving
kubectl exec -n wazuh wazuh-manager-master-0 -- \
  tail -20 /var/ossec/logs/archives/archives.log | grep -i pfsense

On pfSense (via SSH):

# Check syslog service
sockstat -4 | grep syslog

Integration Examples

Wazuh SIEM

curl -ks "https://${PFSENSE_HOST}/api/v2/status/logs/settings" \
  -X PATCH \
  -H "X-API-Key: ${PFSENSE_API_SECRET}" \
  -H "Content-Type: application/json" \
  -d '{
    "enableremotelogging": true,
    "sourceip": "",
    "ipprotocol": "ipv4",
    "remoteserver": "10.50.1.120:514",
    "logall": true
  }' | jq -r '.response_id'

Splunk

curl -ks "https://${PFSENSE_HOST}/api/v2/status/logs/settings" \
  -X PATCH \
  -H "X-API-Key: ${PFSENSE_API_SECRET}" \
  -H "Content-Type: application/json" \
  -d '{
    "enableremotelogging": true,
    "sourceip": "",
    "ipprotocol": "ipv4",
    "remoteserver": "splunk.example.com:514",
    "logall": true
  }' | jq -r '.response_id'

See Also