All Apps and Add-ons

Home Monitor: How do I configure Splunk and the app to get pfSense 2.2 firewall logs properly parsed and indexed?

hgafarov
Engager

Good day.

I can't get any info about how I can do this. When I add input from UDP, I can't see the pfsense sourcetype, only syslog. I added syslog, but Home Monitor won't recognize it and I can't find any info on what anything means in the pfsense firewall log (no explanation to numbers). I found Source, Dest, ports, Action, but that's all which is not enough. Is there any way to automate or provide the pfsense sourcetype to Splunk?

P.S: Searched for 2 days. can't find anything. All info is old...

amiracle
Splunk Employee
Splunk Employee

Is this still a problem? I was able to make some updates that may have resolved your issue.

0 Karma

amiracle
Splunk Employee
Splunk Employee

I've fixed how this app does the source typing of your data. Now, you run through a setup screen which allows you to manually enter your source type, in this case pfsense. If you left the source type as syslog, then it will look at the hostname of your router (based on your internal DNS) and if it contains pfsense, it will automatically source type it as pfsense. In the example above, I left my hostname by mistake (guard) but have since corrected it in more recent releases (4.2.1).

Let me know if you have any additional issues on boarding your firewall's logs into Splunk running Home Monitor.

Thanks,
Kam

Richfez
SplunkTrust
SplunkTrust

It looks to me like the Home Monitor app rewrites sourcetype into the appropriate value in transforms.conf, and it does this based on hostname as it's being reported. Can you check your $splunkhome$/homemonitor/default/transforms.conf's stanza for pfsense and make sure the REGEX says your pfsense router's hostname?

[pfsense]
# Make sure that this matches the hostname of your router, pfsense is just an example. 
REGEX = guard
SOURCE_KEY = MetaData:Host
FORMAT = sourcetype::pfsense
DEST_KEY = MetaData:Sourcetype

You can search your sourcetype=syslog events to confirm what the hostname is set to.

Otherwise, have you considered the app TA and APP for pfSense by A3Sec instead? I am not affiliated with either product, but the documentation for getting that app seems much better.

0 Karma

Richfez
SplunkTrust
SplunkTrust

Note, it's very possible the pfsense stanza you actually need may be in the splunkhome/homemonitor/local/transforms.conf.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...