This is not a problem that can be properly fixed on the Splunk side. Lguinn's solution would be acceptable if you were only logging firewall events, but if you logged other pfSense events, they would be trailed onto the previous firewall event until the next "match".
The fix would be to get the pfSense guys to take the line break out of their tcpdump command. It is causing problems with every syslog receiver out there.
They are already discussing it, and there is a workaround if you are running a read/write version of pfSense (not the embedded for ALIX or Soekris since filesystem is read only).
Here is the bug discussion on the pfSense forum: http://redmine.pfsense.org/issues/1938
... View more