TA-pfsense sourcetyping only catching filterlog

token2 · ‎03-28-2020

Running into an issue where TA-pfsense is only creating three sourcetypes-
pfsense:filterlog
pfsense:dhclient
pfsense

I'm not that Splunk savey. Looking at the props and transforms, and then the data in splunk (_raw). I'm wondering if the lack of time being in the raw log is throwing off the transforms to create sourcetype.

example raw log not getting sourcetyped by the app (so ends up with sourcetype=pfsense)

/index.php: User logged out for user 'admin' from: 192.168.1.151 (Local Database)

OR

sendmsg: Permission denied

Example of raw log getting sourcetyped as pfsense:dhclient which is not addressed in the props.

Mar 28 22:13:03 dhclient: FAIL

Looking at the transforms'

[pfsense_sourcetyper]
REGEX = \w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?:[\w.]+\s)?(\w+)

I'm assuming it gets past the time stamp, and the following is what gets grabbed as sourcetype to append to pfsense:
With this assumption, the raw logs without time in the raw simply get sourcetyped pfsense.

This is causing OpenVPN logs, nginx, dhcpd etc to not accurately get sourcetyped and fields extracted as they are sourcetyped simply 'pfsense'.

pkt_nspktr · ‎07-02-2020

@token2, I had a similar issue, and documented my solution here: https://community.splunk.com/t5/All-Apps-and-Add-ons/TA-pfsense-transforms-conf-pfsense-sourcetyper-.... Take a look and see if that helps you any.

TA-pfsense sourcetyping only catching filterlog

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All