I’ve setup Barnyard to feed WAN and LAN snort alert logs to a Splunk server, but the DMZ barnyard logs just won’t work. Are the DMZ firewall rules blocking my DMZ barnyard syslog output to the Splunk server on the LAN? I had though the logs would not be considered coming from that interface but from the OS itself, but am I fire-walling my own logs? And if so I’m concerned about opening up that one port, the whole point of the DMZ for me is to prevent compromise of my web server being a pivot point into my LAN.
Easiest way to tell would be to look at the firewall log and see if the traffic is being blocked, but if I had to guess I’d say it’s unlikely that that snort would be using different interfaces for each log. You could test that by making a rule on the DMZ interface to allow from DMZ address to the log server and see if it starts working.
If it turns out to be the case then it’s pretty safe to make a more specific rule allowing pfsense to talk to the log server on the DMZ interface, pfsense can already do that on other interfaces so it really makes no difference.
But the fact that your wan log isn’t using the wan interface would indicate that that’s no what’s going on.
I made the firewall rule and even copied how on my LAN interface I had both barnyard spun up and also checked the box to send logs to system as well. At a loss as to why my DMZ alerts just won’t forward…
This has to be a configuration error (or bug) and not a firewall problem. I’ve never user barnyard or an external logging server so I’m not sure what to do.
Is the DMZ interface generating alerts at all or is it just not sending them to the logging server?
The DMZ interface is generating alerts (per the pfsense webgui), just seems to not be sending to logging server. I just posted up on the pfsense forum. I thought I nipped it when I saw that LAN and WAN had enable alert logs to go to syslog which is a setting outside of the barnyard syslog settings. Maybe there is a glitch as to how many barnyard instances can be up and sending logs, though I have disabled WAN and LAN.
Just checked and the snort DMZ logs that are then viewable in system log due to that checkbox are going to the splunk indexer via source UDP514, but yeah barnyard is not playing ball with sending over udp1514.