How to troubleshoot why my PFsense logs are not ge...

gosports · ‎11-05-2015

I have PFsense sending logs to Splunk running on Ubuntu 14.04 server. When I check pfsense internal logs, everything works fine, but when I go to Splunk, it shows me output that's not in pfsense and the date is far off.

11/5/10 11:59:59.000 PM  Nov  4 23:59:59 10.0.0.10 Nov  5 05:00:00 /usr/sbin/cron[77798]: (root) CMD (/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout)

host = 10.0.0.10
source = udp:514
sourcetype = pfsense

When I check the count on the main page in Splunk, I see the right count and time, but when I click on the host, that's what I see. I tried to restart Splunk, but didn't help.
Please, suggest what could be the issue. Thanks

jterry · ‎10-11-2016

i'm not familiar w/PFsense & the log format it emits but it sounds like the fields are not being recognize/parsed correctly by Splunk.
In the absence of a TA that might supply the needed sourcetype definition, you may have to define one.

How to troubleshoot why my PFsense logs are not getting indexed correctly and logs stop at 11:59:59?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

How to troubleshoot why my PFsense logs are not getting indexed correctly and logs stop at 11:59:59?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem