Good day.
I can't get any info about how I can do this. When I add input from UDP, I can't see the pfsense sourcetype, only syslog. I added syslog, but Home Monitor won't recognize it and I can't find any info on what anything means in the pfsense firewall log (no explanation to numbers). I found Source, Dest, ports, Action, but that's all which is not enough. Is there any way to automate or provide the pfsense sourcetype to Splunk?
P.S: Searched for 2 days. can't find anything. All info is old...
Is this still a problem? I was able to make some updates that may have resolved your issue.
I've fixed how this app does the source typing of your data. Now, you run through a setup screen which allows you to manually enter your source type, in this case pfsense. If you left the source type as syslog, then it will look at the hostname of your router (based on your internal DNS) and if it contains pfsense, it will automatically source type it as pfsense. In the example above, I left my hostname by mistake (guard) but have since corrected it in more recent releases (4.2.1).
Let me know if you have any additional issues on boarding your firewall's logs into Splunk running Home Monitor.
Thanks,
Kam
It looks to me like the Home Monitor app rewrites sourcetype into the appropriate value in transforms.conf, and it does this based on hostname as it's being reported. Can you check your $splunkhome$/homemonitor/default/transforms.conf's stanza for pfsense and make sure the REGEX says your pfsense router's hostname?
[pfsense]
# Make sure that this matches the hostname of your router, pfsense is just an example.
REGEX = guard
SOURCE_KEY = MetaData:Host
FORMAT = sourcetype::pfsense
DEST_KEY = MetaData:Sourcetype
You can search your sourcetype=syslog events to confirm what the hostname is set to.
Otherwise, have you considered the app TA and APP for pfSense by A3Sec instead? I am not affiliated with either product, but the documentation for getting that app seems much better.
Note, it's very possible the pfsense stanza you actually need may be in the splunkhome/homemonitor/local/transforms.conf.