pfsense 2.4.1 logs not parsed or displayed properly
293 views
Skip to first unread message
apt...@gmail.com
Nov 6, 2017, 6:07:53 AM11/6/17
to security-onion
I am forwarding logs from pfsense 2.4.1 to Security Onion 2017 Beta. The log count in Kabana increases and it displays the _id but it doesn't display anything else.
The following is what is displayed in Kabana when searching for pfsense.
tags:
syslogng, syslog, _grokparsefailure, pfsense, firewall
syslog-priority:
info
logstash_time:
0.001
message:
5,,,1000000003,igb0,match,block,in,6,0x00,0x00000,255,ICMPv6,58,48,fe80::201:5cff:fe67:b246,ff02::1,
type:
firewall
syslog-host:
10.xx.xxx.x
@timestamp:
November 5th 2017, 18:47:08.760
port:
45614
syslog-legacy_msghdr:
filterlog:
syslog-facility:
local0
@version:
1
host:
172.xx.x.x
syslog-tags:
.source.s_network
syslog-host_from:
10.xx.xxx.x
syslog-sourceip:
10.xx.xxx.x
_id:
AV-Oy5navmYTjGe8bJRO
_type:
firewall
_index:
onion:logstash-syslog-2017.11.06
_score:
-
I am assuming the _grokparsefailure message above is the issue.
The following is what is displayed in Kabana when searching for pfsense.
tags:
syslogng, syslog, _grokparsefailure, pfsense, firewall
syslog-priority:
info
logstash_time:
0.001
message:
5,,,1000000003,igb0,match,block,in,6,0x00,0x00000,255,ICMPv6,58,48,fe80::201:5cff:fe67:b246,ff02::1,
type:
firewall
syslog-host:
10.xx.xxx.x
@timestamp:
November 5th 2017, 18:47:08.760
port:
45614
syslog-legacy_msghdr:
filterlog:
syslog-facility:
local0
@version:
1
host:
172.xx.x.x
syslog-tags:
.source.s_network
syslog-host_from:
10.xx.xxx.x
syslog-sourceip:
10.xx.xxx.x
_id:
AV-Oy5navmYTjGe8bJRO
_type:
firewall
_index:
onion:logstash-syslog-2017.11.06
_score:
-
I am assuming the _grokparsefailure message above is the issue.
Wes
Nov 6, 2017, 8:13:30 AM11/6/17
to security-onion
Thanks for reporting this issue! I have confirmed that the config file for pfsense logs is not properly parsing the format presented by 2.4.1.
This has already been added to or Elastic RC1 Issue page and should be addressed soon:
https://github.com/Security-Onion-Solutions/security-onion/issues/1132
Please let us know if you have any other feedback, and/or any other issue(s) in a separate thread.
Thanks,
Wes
Reply all
Reply to author
Forward
0 new messages