Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Parsing pfSense logs

ketchapay
New Member
‎01-11-2011 01:01 AM

We're running some pfSense (FreeBSD-based firewall) on our network and dumping it to a dedicated syslog-ng server. When splunk reads the dumped files in syslog, it doesn't break it apart into fields which is what I expected. pfSense uses the pf (packet filter) tool originally from OpenBSD to manage the firewall rules.

Here's a sample line from the log:

Jan 11 07:28:30 141.102.4.254 pf: 000145 rule 141/0(match): block in on bge0: (tos 0x0, ttl 128, id 58078, offset 0, flags [none], proto UDP (17), length 1052) 141.102.12.99.1137 > 188.40.123.111.24460: UDP, length 1024
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

s0mmy1
Engager
‎02-06-2012 08:12 PM

I just created a blog entry on how I was able to parse the pfSense files. It works for me and hopefully will work for you too. http://blog.basementpctech.com/2012/02/splunk-and-pfsense-what-pair.html

View solution in original post

Reply
Solved! Jump to solution
Solution

s0mmy1
Engager
‎02-06-2012 08:12 PM

I just created a blog entry on how I was able to parse the pfSense files. It works for me and hopefully will work for you too. http://blog.basementpctech.com/2012/02/splunk-and-pfsense-what-pair.html

Reply
Solved! Jump to solution

araitz
Splunk Employee
Splunk Employee
‎02-06-2012 09:51 PM

Great addition to the community! Thanks!

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎06-01-2011 02:56 PM

Try looking here for more info: Parsing pfSense Logs Part 2

Short answer: When setting up the input file, assign a manual sourcetype of pfSense

Then include the following in props.conf

[pfSense]
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE=match

You will probably have to define the fields yourself. There are a couple of ways to do that:

Overview of Search-Time Field Extractions has an overview

Create search-time field extractions by editing configuration files - this is my preferred way to do this


Note: you do not want to use index-time extractions.

Reply
Solved! Jump to solution

dont
New Member
‎03-31-2011 04:35 AM

What is the easiest way to package up a chunk of logs for you to look at ?

And where should I send it ?

Thanks,

-d

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎01-11-2011 03:54 AM

It would be helpful to see a sample of what these log files or lines look like.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...