Hi! what exactly is this package? how is it used? what is it for? there is no description other than "see the readme" and there is none... thanks!
You really should put this on the page for the TA...
Anyways, the line
mwexec_bg("/usr/sbin/tcpdump -s 256 -v -S -l -n -e -ttt -i pflog0 | logger -t pf -p local0.info");
doesn't exist. but this one
mwexec_bg("/usr/sbin/{$tcpdump_cmd} | logger -t pf -p local0.info");
unmute_kernel_msgs();
does. This is as of pfSense 2.1-release. Now, the $tcpdump_cmd is defined as
$tcpdump_cmd = "tcpdump -s 256 -v -S -l -n -e -ttt -i pflog0";
A little but earlier in the function that line sits in. Which is just a variable declaration, so whatever. I went ahead and replaced the line you mentioned and it just killed all logging output from pfSense. I tried the props and transform configs and still nothing. Both into splunk and on pfSense itself. I had to revert just to get my basic syslog traffic back. I'd like to see CIM compliant fields in my router's logs, but this feels hacky at best.
Yeah there is - it's in the install package. Here's what it says:
===pfSense Technology Add-on===
Author: Mika Borner
Version/Date: 1.0/05/04/2013
Supported product(s):
pfSense 2.0.x
pfSense 2.1.x
Source type(s): pfsense:filter
pfsense:syslog
Input requirements: The output for firewall filter logs has to be tweaked on pfSense. The standard syslog output is not really parsable.
In file /etc/inc/filter.inc change line
mwexec_bg("/usr/sbin/tcpdump -s 256 -v -S -l -n -e -ttt -i pflog0 | logger -t pf -p local0.info");
to
mwexec_bg("sh -c \"while(true); do /usr/sbin/tcpdump -s 256 -v -l -n -e -i pflog0 | nc -u <splunkhost> <udpport> ; done\"");
where <splunkhost> is your Splunk forwareder/indexer with <udpport> as the the udp input port.
===Using this Technology Add-on===
Configuration: Manual
- pfSense filterlogs must have the sourcetype pfsense:filter assigned. This is best done with a separate udp input (e.g. 515/udp)
.../inputs.conf
[udp://515]
connection_host = dns
sourcetype = pfsense:filter
-pfSense syslog messages must have the sourcetype pfsense:syslog assigned, e.g.
.../props.conf:
[source::udp:514]
TRANSFORMS-pfsense_syslog_sourcetyping = pfsense_syslog_sourcetyping
.../transforms.conf:
[pfsense_syslog_sourcetyping]
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::pfsense:syslog
REGEX = <your criteria>
SOURCE_KEY = <your criteria>
What it does is it creates various CIM compliant fields and tags (CIM information, see http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/UnderstandandusetheCommonInformationMod... ).