All Apps and Add-ons

what is this package for?

luisp
New Member

Hi! what exactly is this package? how is it used? what is it for? there is no description other than "see the readme" and there is none... thanks!

Tags (1)
0 Karma

ianyoung1987
New Member

You really should put this on the page for the TA...

Anyways, the line

mwexec_bg("/usr/sbin/tcpdump -s 256 -v -S -l -n -e -ttt -i pflog0 | logger -t pf -p local0.info");

doesn't exist. but this one

mwexec_bg("/usr/sbin/{$tcpdump_cmd} | logger -t pf -p local0.info");
unmute_kernel_msgs();

does. This is as of pfSense 2.1-release. Now, the $tcpdump_cmd is defined as

$tcpdump_cmd = "tcpdump -s 256 -v -S -l -n -e -ttt -i pflog0";

A little but earlier in the function that line sits in. Which is just a variable declaration, so whatever. I went ahead and replaced the line you mentioned and it just killed all logging output from pfSense. I tried the props and transform configs and still nothing. Both into splunk and on pfSense itself. I had to revert just to get my basic syslog traffic back. I'd like to see CIM compliant fields in my router's logs, but this feels hacky at best.

0 Karma

Ayn
Legend

Yeah there is - it's in the install package. Here's what it says:

===pfSense Technology Add-on===

   Author: Mika Borner

   Version/Date: 1.0/05/04/2013

   Supported product(s): 
           pfSense 2.0.x
                   pfSense 2.1.x

   Source type(s): pfsense:filter
               pfsense:syslog

   Input requirements: The output for firewall filter logs has to be tweaked on pfSense. The standard syslog output is not really parsable.

       In file /etc/inc/filter.inc change line 

         mwexec_bg("/usr/sbin/tcpdump -s 256 -v -S -l -n -e -ttt -i pflog0 | logger -t pf -p local0.info");

       to

         mwexec_bg("sh -c \"while(true); do /usr/sbin/tcpdump -s 256 -v -l -n -e -i pflog0 | nc -u <splunkhost> <udpport> ; done\""); 

       where <splunkhost> is your Splunk forwareder/indexer with <udpport> as the the udp input port. 

   ===Using this Technology Add-on===

   Configuration: Manual

   - pfSense filterlogs must have the sourcetype pfsense:filter assigned. This is best done with a separate udp input (e.g. 515/udp)

   .../inputs.conf
   [udp://515]
   connection_host = dns
   sourcetype = pfsense:filter

   -pfSense syslog messages must have the sourcetype pfsense:syslog assigned, e.g.

   .../props.conf:
   [source::udp:514]
   TRANSFORMS-pfsense_syslog_sourcetyping = pfsense_syslog_sourcetyping

   .../transforms.conf:
   [pfsense_syslog_sourcetyping]
   DEST_KEY = MetaData:Sourcetype
   FORMAT = sourcetype::pfsense:syslog
   REGEX = <your criteria>
   SOURCE_KEY = <your criteria>

What it does is it creates various CIM compliant fields and tags (CIM information, see http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/UnderstandandusetheCommonInformationMod... ).

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...