Dockerfile to run a Logstash instance configured to relay pfSense firewall log entires into InfluxDB which can be visualised in Grafana
This guide assumes you already have a working pfSense, InfluxDB and Grafana setup.
First you need to Enable Remote Logging in pfSense, this can be found in Status/System Logs/Settings. Then be sure to put the address to reach the Logstash docker container in Remote log servers and check Firewall Events.
You will also need to create a database called firewall in your InfluxDB (This can be configured in pipeline/30-outputs). You might also want to add a retention policy to automatically prune old data.
Finally connect up your InfluxDB instance as a source in Grafana and then you can create visualisations based on the data. The JSON for the example worldmap panel of inbound blocked WAN countries is included here.
You can use the image in a compose file:
version: '2'
services:
server:
image: threesquared/logstash-pfsense:latest
ports:
- "5140:5140"
- "5140:5140/udp"Or just as a run command:
$ docker run -d --name logstash \
-p 5140:5140/udp -p 5140:5140 \
threesquared/logstash-pfsense$ docker build -t threesquared/logstash-pfsense .