All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Home Monitor pfSense Field Extractions

ToddMKieffer
Engager
‎11-13-2016 11:07 AM

I just got Splunk Enterprise 6.5 up and running with Home Monitor 4.5.1 to ingest my pfsense 2.3.2_1 logs. I'm noticing that the field extractions seem to be off in Home Monitor.

I've adjusted the following but am wondering if there is other items that may have changed from 2.3 to 2.3.x that may need to be updated in the home monitor app.

pfsense: EXTRACT-Application changed 9 to 7 ^(?:[^ \n]* ){7}(?P\w+)

The ip_spec_4 field seems to be off as well but I'm not certain what it should be extracting. Current output is 0x0,,47,61089,0,none,6,tcp,40,77.252.229.149,173.26.98.103,60148,23,0,S,2904187495,,56516,, I first thought it was IPv version but that's covered under ip_v field.

Reply

amiracle
Splunk Employee
Splunk Employee
‎01-09-2017 09:31 AM

This could be due to the hostname that is being logged in your pfsense logs. For example, if your firewall's hostname is just 'pfsense' then that will throw off the extraction since I wrote my expecting a FQDN hostname (e.g. pfsense.domain.com).

The ip_spec_4 field is supposed to extract the payload for IPv4 events. Since the fields logged are different for IPv4 vs. IPv6, I had to create the ip_spec_4 to capture the different fields.

If you look at the extraction, the ip_spec_4 should start extracting after the ip version (ip_v) starting with the 'tos' field, normally 0x0. (https://doc.pfsense.org/index.php/Filter_Log_Format_for_pfSense_2.2). I know that this is for version 2.2, but the majority of the fields are the same.

Once the ip_spec has been extracted, then the fields within that IP Version can be extracted. Let me know if that helps or if you have any other questions.

Thanks,
Kam

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...