All Apps and Add-ons

TA-pfsense sourcetyping only catching filterlog

token2
Path Finder

Running into an issue where TA-pfsense is only creating three sourcetypes-
pfsense:filterlog
pfsense:dhclient
pfsense

I'm not that Splunk savey. Looking at the props and transforms, and then the data in splunk (_raw). I'm wondering if the lack of time being in the raw log is throwing off the transforms to create sourcetype.

example raw log not getting sourcetyped by the app (so ends up with sourcetype=pfsense)

/index.php: User logged out for user 'admin' from: 192.168.1.151 (Local Database)

OR

sendmsg: Permission denied

Example of raw log getting sourcetyped as pfsense:dhclient which is not addressed in the props.

Mar 28 22:13:03 dhclient: FAIL

Looking at the transforms'

[pfsense_sourcetyper]
REGEX = \w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?:[\w.]+\s)?(\w+)

I'm assuming it gets past the time stamp, and the following is what gets grabbed as sourcetype to append to pfsense:
With this assumption, the raw logs without time in the raw simply get sourcetyped pfsense.

This is causing OpenVPN logs, nginx, dhcpd etc to not accurately get sourcetyped and fields extracted as they are sourcetyped simply 'pfsense'.

Tags (1)

pkt_nspktr
Explorer

@token2, I had a similar issue, and documented my solution here: https://community.splunk.com/t5/All-Apps-and-Add-ons/TA-pfsense-transforms-conf-pfsense-sourcetyper-....  Take a look and see if that helps you any.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...