Font size: +

pfSense NetFlow and EventLog configuration


pfSense is a free network firewall distribution, based on FreeBSD OS and includes numerous third party free software packages intended to expand firewall functionality. pfSense hardware can be installed on common hardware or in the cloud. This variety in installation options, together with project's openness and modern UI, makes pfSense one of the top software-based firewalls in the world. For the installation of pfSense any particular UNIX knowledge is not necessary.

NetFlow Configuration

pfSense has support for NetFlow via softflowd package, which is a flow-based network traffic analyzer. To install a softflowd inside pfSense go to System/Package Manager and then search for softflowd inside available packages. Once it is found, click on the install. To check if the installation is completed, go to Installed Packages. The screen should be similar to the picture below:

To access NetFlow Configuration go to Services/Softflowd. Configuration of NetFlow export should be set in the similar way as in the example below:  

After the basic NetFlow configurations, we have Timeout options. Timeout options are usually left unconfigured, however if you want to set some timeouts or to group flows into NetFlow packet here is the place to do it:

Once you have gone through the simple settings mentioned before, NetFlow traffic should appear in your NetFlow collector.  

EventLog Configuration

Unlike NetFlow configuration, EventLog has built-in configuration and it's pretty straightforward.

Go to Status/System logs, where each and every log inside pfSense is collected. Click on Settings tab and in the page bottom Remote Logging option is located - like in the picture below:

Not much customization is possible on this page, except on the Remote Syslog Contents side where you could set only important traffic to go to your remote Syslog Collector (for example VPN). This is usually done on firewalls, because they create a lot of traffic and with that a lot of informational syslog messages (for example firewall block rules information).

Now, EventLog messages should be seen inside your EventLog Collector and monitoring and alerting on those messages can commence.

DDoS attacks
Collecting logs from Windows machines

Related Posts


Mailing and Visiting Address:
Soneco d.o.o.
Makenzijeva 24/VI, 11000 Belgrade, Serbia
Phone: +381.11.6356319
Fax: +381.11.2455210 |


linkedin facebook facebook