All Apps and Add-ons

Home Monitor pfSense Field Extractions

Engager

I just got Splunk Enterprise 6.5 up and running with Home Monitor 4.5.1 to ingest my pfsense 2.3.2_1 logs. I'm noticing that the field extractions seem to be off in Home Monitor.

I've adjusted the following but am wondering if there is other items that may have changed from 2.3 to 2.3.x that may need to be updated in the home monitor app.

pfsense: EXTRACT-Application changed 9 to 7 ^(?:[^ \n]* ){7}(?P\w+)

The ip_spec_4 field seems to be off as well but I'm not certain what it should be extracting. Current output is 0x0,,47,61089,0,none,6,tcp,40,77.252.229.149,173.26.98.103,60148,23,0,S,2904187495,,56516,, I first thought it was IPv version but that's covered under ip_v field.

Splunk Employee
Splunk Employee

This could be due to the hostname that is being logged in your pfsense logs. For example, if your firewall's hostname is just 'pfsense' then that will throw off the extraction since I wrote my expecting a FQDN hostname (e.g. pfsense.domain.com).

The ip_spec_4 field is supposed to extract the payload for IPv4 events. Since the fields logged are different for IPv4 vs. IPv6, I had to create the ip_spec_4 to capture the different fields.

If you look at the extraction, the ip_spec_4 should start extracting after the ip version (ip_v) starting with the 'tos' field, normally 0x0. (https://doc.pfsense.org/index.php/Filter_Log_Format_for_pfSense_2.2). I know that this is for version 2.2, but the majority of the fields are the same.

Once the ip_spec has been extracted, then the fields within that IP Version can be extracted. Let me know if that helps or if you have any other questions.

Thanks,
Kam

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!