All Apps and Add-ons

Home Monitor pfSense Field Extractions

ToddMKieffer
Engager

I just got Splunk Enterprise 6.5 up and running with Home Monitor 4.5.1 to ingest my pfsense 2.3.2_1 logs. I'm noticing that the field extractions seem to be off in Home Monitor.

I've adjusted the following but am wondering if there is other items that may have changed from 2.3 to 2.3.x that may need to be updated in the home monitor app.

pfsense: EXTRACT-Application changed 9 to 7 ^(?:[^ \n]* ){7}(?P\w+)

The ip_spec_4 field seems to be off as well but I'm not certain what it should be extracting. Current output is 0x0,,47,61089,0,none,6,tcp,40,77.252.229.149,173.26.98.103,60148,23,0,S,2904187495,,56516,, I first thought it was IPv version but that's covered under ip_v field.

amiracle
Splunk Employee
Splunk Employee

This could be due to the hostname that is being logged in your pfsense logs. For example, if your firewall's hostname is just 'pfsense' then that will throw off the extraction since I wrote my expecting a FQDN hostname (e.g. pfsense.domain.com).

The ip_spec_4 field is supposed to extract the payload for IPv4 events. Since the fields logged are different for IPv4 vs. IPv6, I had to create the ip_spec_4 to capture the different fields.

If you look at the extraction, the ip_spec_4 should start extracting after the ip version (ip_v) starting with the 'tos' field, normally 0x0. (https://doc.pfsense.org/index.php/Filter_Log_Format_for_pfSense_2.2). I know that this is for version 2.2, but the majority of the fields are the same.

Once the ip_spec has been extracted, then the fields within that IP Version can be extracted. Let me know if that helps or if you have any other questions.

Thanks,
Kam

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

New Release of Federated Search: Bringing Splunk Analytics to More of Your Data

Organizations today are generating more data than ever and storing it across cloud object stores, data lakes, ...

Inside Event Intelligence: How ITSI Turns Network Alerts into Actionable Incidents

Tech Talk Inside Event Intelligence: How ITSI Turns Network Alerts into Actionable Incidents   Correlating ...

Observability Simplified: Combining User Experience, Application Performance & ...

  Tech Talk Network to App: Observability Unlocked   Today’s digital environments span applications, ...