All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Home Monitor pfSense Field Extractions

ToddMKieffer
Engager
‎11-13-2016 11:07 AM

I just got Splunk Enterprise 6.5 up and running with Home Monitor 4.5.1 to ingest my pfsense 2.3.2_1 logs. I'm noticing that the field extractions seem to be off in Home Monitor.

I've adjusted the following but am wondering if there is other items that may have changed from 2.3 to 2.3.x that may need to be updated in the home monitor app.

pfsense: EXTRACT-Application changed 9 to 7 ^(?:[^ \n]* ){7}(?P\w+)

The ip_spec_4 field seems to be off as well but I'm not certain what it should be extracting. Current output is 0x0,,47,61089,0,none,6,tcp,40,77.252.229.149,173.26.98.103,60148,23,0,S,2904187495,,56516,, I first thought it was IPv version but that's covered under ip_v field.

Reply

amiracle
Splunk Employee
Splunk Employee
‎01-09-2017 09:31 AM

This could be due to the hostname that is being logged in your pfsense logs. For example, if your firewall's hostname is just 'pfsense' then that will throw off the extraction since I wrote my expecting a FQDN hostname (e.g. pfsense.domain.com).

The ip_spec_4 field is supposed to extract the payload for IPv4 events. Since the fields logged are different for IPv4 vs. IPv6, I had to create the ip_spec_4 to capture the different fields.

If you look at the extraction, the ip_spec_4 should start extracting after the ip version (ip_v) starting with the 'tos' field, normally 0x0. (https://doc.pfsense.org/index.php/Filter_Log_Format_for_pfSense_2.2). I know that this is for version 2.2, but the majority of the fields are the same.

Once the ip_spec has been extracted, then the fields within that IP Version can be extracted. Let me know if that helps or if you have any other questions.

Thanks,
Kam

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...