All Apps and Add-ons

TA-pfsense sourcetyping only catching filterlog

Path Finder

Running into an issue where TA-pfsense is only creating three sourcetypes-

I'm not that Splunk savey. Looking at the props and transforms, and then the data in splunk (_raw). I'm wondering if the lack of time being in the raw log is throwing off the transforms to create sourcetype.

example raw log not getting sourcetyped by the app (so ends up with sourcetype=pfsense)

/index.php: User logged out for user 'admin' from: (Local Database)


sendmsg: Permission denied

Example of raw log getting sourcetyped as pfsense:dhclient which is not addressed in the props.

Mar 28 22:13:03 dhclient: FAIL

Looking at the transforms'

REGEX = \w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?:[\w.]+\s)?(\w+)

I'm assuming it gets past the time stamp, and the following is what gets grabbed as sourcetype to append to pfsense:
With this assumption, the raw logs without time in the raw simply get sourcetyped pfsense.

This is causing OpenVPN logs, nginx, dhcpd etc to not accurately get sourcetyped and fields extracted as they are sourcetyped simply 'pfsense'.

Tags (1)


@token2, I had a similar issue, and documented my solution here:  Take a look and see if that helps you any.

0 Karma
Get Updates on the Splunk Community!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...