All Apps and Add-ons

TA-pfsense sourcetyping only catching filterlog

token2
Path Finder

Running into an issue where TA-pfsense is only creating three sourcetypes-
pfsense:filterlog
pfsense:dhclient
pfsense

I'm not that Splunk savey. Looking at the props and transforms, and then the data in splunk (_raw). I'm wondering if the lack of time being in the raw log is throwing off the transforms to create sourcetype.

example raw log not getting sourcetyped by the app (so ends up with sourcetype=pfsense)

/index.php: User logged out for user 'admin' from: 192.168.1.151 (Local Database)

OR

sendmsg: Permission denied

Example of raw log getting sourcetyped as pfsense:dhclient which is not addressed in the props.

Mar 28 22:13:03 dhclient: FAIL

Looking at the transforms'

[pfsense_sourcetyper]
REGEX = \w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?:[\w.]+\s)?(\w+)

I'm assuming it gets past the time stamp, and the following is what gets grabbed as sourcetype to append to pfsense:
With this assumption, the raw logs without time in the raw simply get sourcetyped pfsense.

This is causing OpenVPN logs, nginx, dhcpd etc to not accurately get sourcetyped and fields extracted as they are sourcetyped simply 'pfsense'.

Tags (1)

pkt_nspktr
Explorer

@token2, I had a similar issue, and documented my solution here: https://community.splunk.com/t5/All-Apps-and-Add-ons/TA-pfsense-transforms-conf-pfsense-sourcetyper-....  Take a look and see if that helps you any.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...