Someone else asked this question already but no answers were posted... I am running pfSense 2.0-RC2 which produces mulitline firewall logs. Shown below are six lines which should be merged into three. To test my props.conf setup I used the word "match" as the pattern for "BREAK_ONLY_BEFORE". This did not work and so after searching the forums and hours of tweaking I need some guidance. My props.conf looks like this:
[pfsense_pf]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = match
also tried...
[pfsense_pf]
SHOULD_LINEMERGE = true
LINE_BREAKER= match
Log sample:
May 29 15:10:21 pfsense pf: 00:00:02.724781 rule 64/0(match): pass in on vr2: (tos 0x0, ttl 128, id 20219, offset 0, flags [DF], proto TCP (6), length 48)
May 29 15:10:21 pfsense pf: 10.0.1.251.59417 > 192.168.1.3.9997: Flags [S], cksum 0xc2b5 (correct), seq 1434545691, win 8192, options [mss 1460,nop,nop,sackOK], length 0
May 29 15:10:24 pfsense pf: 00:00:02.962391 rule 45/0(match): block in on vr1: (tos 0x20, ttl 114, id 14617, offset 0, flags [none], proto UDP (17), length 59)
May 29 15:10:24 pfsense pf: 92.14.58.97.34192 > 67.183.148.198.12996: UDP, length 31
May 29 15:10:30 pfsense pf: 00:00:05.301471 rule 45/0(match): block in on vr1: (tos 0x0, ttl 255, id 31114, offset 0, flags [none], proto UDP (17), length 331)
May 29 15:10:30 pfsense pf: 73.98.34.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 303, xid 0xeb5408e8, Flags [Broadcast]
Testing Steps:
Tweak props.conf, restart splunk.
Define log file to process/monitor,
set sourcetype manually to
pfsense_pf.
Browse results in search app.
If successful stop, else delete input source go to step 1.
... View more