I have PFsense sending logs to Splunk running on Ubuntu 14.04 server. When I check pfsense internal logs, everything works fine, but when I go to Splunk, it shows me output that's not in pfsense and the date is far off.
11/5/10 11:59:59.000 PM Nov 4 23:59:59 10.0.0.10 Nov 5 05:00:00 /usr/sbin/cron[77798]: (root) CMD (/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout)
host = 10.0.0.10
source = udp:514
sourcetype = pfsense
When I check the count on the main page in Splunk, I see the right count and time, but when I click on the host, that's what I see. I tried to restart Splunk, but didn't help.
Please, suggest what could be the issue. Thanks
i'm not familiar w/PFsense & the log format it emits but it sounds like the fields are not being recognize/parsed correctly by Splunk.
In the absence of a TA that might supply the needed sourcetype definition, you may have to define one.