Pfsense syslog parsing #5978
-
|
Does anyone know how to fix Security Onions parsing of Pfsense logs? I'm able to get them into elastic, but they aren't parsed. I already used so-allow to all pfsense to forward the logs. Any help or advice is appreciated :) |
Beta Was this translation helpful? Give feedback.
Replies: 5 comments 2 replies
-
|
Hello, The pfsense firewall logs are parsed with the parserfile filterlog on location /opt/so/conf/elasticsearch/ingest/, but they have no own kibana dashboard. You can filter them out in kibana with the dataset value "Firewall". Other types of logs that are produced by pfsense (example VPN) are not parsed and stay in the dataset syslog. If you want a specific pfsense logtype parsed you need to make a custum parser. You still need to configure your pfsense to forward the firewall logs. this is not default configured. The info for default and custom parsers is found here Elasticsearch-Parsing For VPN there is a basic parser on this forum VPN parser file Regards |
Beta Was this translation helpful? Give feedback.
-
|
Thanks Bart. It sounds like I need to create my own dashboard for that data and potentially write a custom parser or two. Does the filterlog parserfile also filter DNS queries in addition to firewall traffic? |
Beta Was this translation helpful? Give feedback.
-
|
What log message format do you use in pfsense system logs settings? I use BSD and Security Onion is parsing all fields correctly without any custom parser or additional configuration. You should find your logs in main dashboard Modules table. |
Beta Was this translation helpful? Give feedback.
-
|
pfSense firewall logs in the default format should parse correctly out of the box. Our Hunt interface includes a firewall query in the list of default queries: You can also find firewall logs in Kibana: |
Beta Was this translation helpful? Give feedback.
-
|
Thanks everyone for your suggestions and help. Seems the root cause of my issues was using the Syslog format PFsense logs instead of the default BSD format. Everything is working now :) |
Beta Was this translation helpful? Give feedback.
-
|
@dougburks are you looking into creating a parser for the syslog version rather than BSD? The benefit of having the syslog parsed over the bsd is that syslog version has the hostname. Which is beneficial if you need to NAT through a device to get to the Forward Node. As the NAT'ed log will not have the correct log source information. |
Beta Was this translation helpful? Give feedback.
-
|
@wildlyunder We currently have no plans to add an additional parser for syslog formatted pfSense logs. However, pull requests are always welcome! 😁 |
Beta Was this translation helpful? Give feedback.
What log message format do you use in pfsense system logs settings? I use BSD and Security Onion is parsing all fields correctly without any custom parser or additional configuration. You should find your logs in main dashboard Modules table.