TA-pfsense sourcetyping only catching filterlog

token2 — Sun, 29 Mar 2020 05:19:03 GMT

Running into an issue where TA-pfsense is only creating three sourcetypes-
pfsense:filterlog
pfsense:dhclient
pfsense

I'm not that Splunk savey. Looking at the props and transforms, and then the data in splunk (_raw). I'm wondering if the lack of time being in the raw log is throwing off the transforms to create sourcetype.

example raw log not getting sourcetyped by the app (so ends up with sourcetype=pfsense)

/index.php: User logged out for user 'admin' from: 192.168.1.151 (Local Database)

sendmsg: Permission denied

Example of raw log getting sourcetyped as pfsense:dhclient which is not addressed in the props.

Mar 28 22:13:03 dhclient: FAIL

Looking at the transforms'

[pfsense_sourcetyper]
REGEX = \w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?:[\w.]+\s)?(\w+)

I'm assuming it gets past the time stamp, and the following is what gets grabbed as sourcetype to append to pfsense:
With this assumption, the raw logs without time in the raw simply get sourcetyped pfsense.

This is causing OpenVPN logs, nginx, dhcpd etc to not accurately get sourcetyped and fields extracted as they are sourcetyped simply 'pfsense'.

Re: TA-pfsense sourcetyping only catching filterlog

pkt_nspktr — Thu, 02 Jul 2020 14:24:41 GMT

@token2, I had a similar issue, and documented my solution here: https://community.splunk.com/t5/All-Apps-and-Add-ons/TA-pfsense-transforms-conf-pfsense-sourcetyper-broken/m-p/507092#M62298. Take a look and see if that helps you any.

topic Re: TA-pfsense sourcetyping only catching filterlog in All Apps and Add-ons

TA-pfsense sourcetyping only catching filterlog

Re: TA-pfsense sourcetyping only catching filterlog