All Apps and Add-ons

Home Monitor: How do I configure Splunk and the app to get pfSense 2.2 firewall logs properly parsed and indexed?

hgafarov
Engager

Good day.

I can't get any info about how I can do this. When I add input from UDP, I can't see the pfsense sourcetype, only syslog. I added syslog, but Home Monitor won't recognize it and I can't find any info on what anything means in the pfsense firewall log (no explanation to numbers). I found Source, Dest, ports, Action, but that's all which is not enough. Is there any way to automate or provide the pfsense sourcetype to Splunk?

P.S: Searched for 2 days. can't find anything. All info is old...

amiracle
Splunk Employee
Splunk Employee

Is this still a problem? I was able to make some updates that may have resolved your issue.

0 Karma

amiracle
Splunk Employee
Splunk Employee

I've fixed how this app does the source typing of your data. Now, you run through a setup screen which allows you to manually enter your source type, in this case pfsense. If you left the source type as syslog, then it will look at the hostname of your router (based on your internal DNS) and if it contains pfsense, it will automatically source type it as pfsense. In the example above, I left my hostname by mistake (guard) but have since corrected it in more recent releases (4.2.1).

Let me know if you have any additional issues on boarding your firewall's logs into Splunk running Home Monitor.

Thanks,
Kam

Richfez
SplunkTrust
SplunkTrust

It looks to me like the Home Monitor app rewrites sourcetype into the appropriate value in transforms.conf, and it does this based on hostname as it's being reported. Can you check your $splunkhome$/homemonitor/default/transforms.conf's stanza for pfsense and make sure the REGEX says your pfsense router's hostname?

[pfsense]
# Make sure that this matches the hostname of your router, pfsense is just an example. 
REGEX = guard
SOURCE_KEY = MetaData:Host
FORMAT = sourcetype::pfsense
DEST_KEY = MetaData:Sourcetype

You can search your sourcetype=syslog events to confirm what the hostname is set to.

Otherwise, have you considered the app TA and APP for pfSense by A3Sec instead? I am not affiliated with either product, but the documentation for getting that app seems much better.

0 Karma

Richfez
SplunkTrust
SplunkTrust

Note, it's very possible the pfsense stanza you actually need may be in the splunkhome/homemonitor/local/transforms.conf.

0 Karma
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...