Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: what is this package for?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what is this package for?
Hi! what exactly is this package? how is it used? what is it for? there is no description other than "see the readme" and there is none... thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You really should put this on the page for the TA...
Anyways, the line
mwexec_bg("/usr/sbin/tcpdump -s 256 -v -S -l -n -e -ttt -i pflog0 | logger -t pf -p local0.info");
doesn't exist. but this one
mwexec_bg("/usr/sbin/{$tcpdump_cmd} | logger -t pf -p local0.info");
unmute_kernel_msgs();
does. This is as of pfSense 2.1-release. Now, the $tcpdump_cmd is defined as
$tcpdump_cmd = "tcpdump -s 256 -v -S -l -n -e -ttt -i pflog0";
A little but earlier in the function that line sits in. Which is just a variable declaration, so whatever. I went ahead and replaced the line you mentioned and it just killed all logging output from pfSense. I tried the props and transform configs and still nothing. Both into splunk and on pfSense itself. I had to revert just to get my basic syslog traffic back. I'd like to see CIM compliant fields in my router's logs, but this feels hacky at best.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah there is - it's in the install package. Here's what it says:
===pfSense Technology Add-on===
Author: Mika Borner
Version/Date: 1.0/05/04/2013
Supported product(s):
pfSense 2.0.x
pfSense 2.1.x
Source type(s): pfsense:filter
pfsense:syslog
Input requirements: The output for firewall filter logs has to be tweaked on pfSense. The standard syslog output is not really parsable.
In file /etc/inc/filter.inc change line
mwexec_bg("/usr/sbin/tcpdump -s 256 -v -S -l -n -e -ttt -i pflog0 | logger -t pf -p local0.info");
to
mwexec_bg("sh -c \"while(true); do /usr/sbin/tcpdump -s 256 -v -l -n -e -i pflog0 | nc -u <splunkhost> <udpport> ; done\"");
where <splunkhost> is your Splunk forwareder/indexer with <udpport> as the the udp input port.
===Using this Technology Add-on===
Configuration: Manual
- pfSense filterlogs must have the sourcetype pfsense:filter assigned. This is best done with a separate udp input (e.g. 515/udp)
.../inputs.conf
[udp://515]
connection_host = dns
sourcetype = pfsense:filter
-pfSense syslog messages must have the sourcetype pfsense:syslog assigned, e.g.
.../props.conf:
[source::udp:514]
TRANSFORMS-pfsense_syslog_sourcetyping = pfsense_syslog_sourcetyping
.../transforms.conf:
[pfsense_syslog_sourcetyping]
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::pfsense:syslog
REGEX = <your criteria>
SOURCE_KEY = <your criteria>
What it does is it creates various CIM compliant fields and tags (CIM information, see http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/UnderstandandusetheCommonInformationMod... ).
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
