Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Parsing pfSense logs

ketchapay
New Member
‎01-11-2011 01:01 AM

We're running some pfSense (FreeBSD-based firewall) on our network and dumping it to a dedicated syslog-ng server. When splunk reads the dumped files in syslog, it doesn't break it apart into fields which is what I expected. pfSense uses the pf (packet filter) tool originally from OpenBSD to manage the firewall rules.

Here's a sample line from the log:

Jan 11 07:28:30 141.102.4.254 pf: 000145 rule 141/0(match): block in on bge0: (tos 0x0, ttl 128, id 58078, offset 0, flags [none], proto UDP (17), length 1052) 141.102.12.99.1137 > 188.40.123.111.24460: UDP, length 1024
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

s0mmy1
Engager
‎02-06-2012 08:12 PM

I just created a blog entry on how I was able to parse the pfSense files. It works for me and hopefully will work for you too. http://blog.basementpctech.com/2012/02/splunk-and-pfsense-what-pair.html

View solution in original post

Reply
Solved! Jump to solution
Solution

s0mmy1
Engager
‎02-06-2012 08:12 PM

I just created a blog entry on how I was able to parse the pfSense files. It works for me and hopefully will work for you too. http://blog.basementpctech.com/2012/02/splunk-and-pfsense-what-pair.html

Reply
Solved! Jump to solution

araitz
Splunk Employee
Splunk Employee
‎02-06-2012 09:51 PM

Great addition to the community! Thanks!

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎06-01-2011 02:56 PM

Try looking here for more info: Parsing pfSense Logs Part 2

Short answer: When setting up the input file, assign a manual sourcetype of pfSense

Then include the following in props.conf

[pfSense]
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE=match

You will probably have to define the fields yourself. There are a couple of ways to do that:

Overview of Search-Time Field Extractions has an overview

Create search-time field extractions by editing configuration files - this is my preferred way to do this


Note: you do not want to use index-time extractions.

Reply
Solved! Jump to solution

dont
New Member
‎03-31-2011 04:35 AM

What is the easiest way to package up a chunk of logs for you to look at ?

And where should I send it ?

Thanks,

-d

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎01-11-2011 03:54 AM

It would be helpful to see a sample of what these log files or lines look like.

0 Karma
Reply
Get Updates on the Splunk Community!

The OpenTelemetry Certified Associate (OTCA) Exam

What’s this OTCA exam? The Linux Foundation offers the OpenTelemetry Certified Associate (OTCA) credential to ...

From Manual to Agentic: Level Up Your SOC at Cisco Live

Welcome to the Era of the Agentic SOC   Are you tired of being a manual alert responder? The security ...

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Welcome back to Splunk Classroom Chronicles, our ongoing series where we shine a light on what really happens ...