I've recently installed Splunk to begin learning how to use it, and the first thing I wanted to do was parse the logs from a pfsense firewall.  I believe that the TA-pfsense application is meant to help parse the syslog information, but despite my best efforts I cannot get it working. My environment has the following: Splunk - 8.1.3 (single instance) pfSense - 21.02.2 sending logs in syslog format TA-pfsense v2.5 release March 3, 2021 Splunk is receiving the syslog events into an index called 'network' and the events are labelled with the default pfsense sourcetype but this is not being parsed into the various other types of pfsense:filterlog, pfsense:unbound etc. I grabbed the REGEX string from transforms.conf and did some testing against the events getting pulled into Splunk, it seems like the string is not formatted for the logs I have. I made the following changes: Original: REGEX = \w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?:[\w.]+\s)?(\w+) Updated: REGEX = \w{1,3}\s\w{4}-\w{1,2}-\w{1,2}T\d{1,2}:\d{1,2}:\d{1,2}.\d{1,6}-\d{1,2}:\w{1,2}\s\w+.?\w+.?\w+(?:[\w.]+\s)?(\w+) Admittedly I am very new to regex and so the above might be less than ideal, but it does seem to parse out the sourcetype.  However after crossing that hurdle it seems like all of the EXTRACT statements also don't match the log format Splunk is gathering. Is anyone else running a current version of pfSense with the latest TA-pfsense application and having similar issues?  Any pointers would be appreciated.  I've searched around but have not seen any current posts with people reporting a similar issue. Thanks!     ... View more