Logstash pipeline configuration to ingest pfsense firewall logs.
pfSense is a great firewall and Elastic Stack is a great data platform. I finally decided it was a good idea to use them together and see what I can see.
The full configuration file is located at my github pfSense logstockpile configuration file
This configuration is a Logstash configuration that supports the parsing of IPv4 and IPv6 pfsense firewall logs.
If you are interested I have also created a project to deploy a x-pack enabled docker swarm cluster of an elastic stack. Elastic-composer
At this time it does not conform to the Elastic Common Schema (ECS) .
The input section is expecting to receive UDP syslog messages on port 5514 from your pfsense firewall.
These logs will be tagged “PFSENSE” and mangled appropriately.
input
{
syslog
{
port => 5514
use_labels => false
tags => PFSENSE
}
}
filter
{
if "PFSENSE" in [tags] {
// Lots of logic and mangling here.
}
}
The output section has examples of multiple outputs. stdout debugging for your convenience
output {
if "PFSENSE" in [tags] {
elasticsearch {
index => "pfsense-firewall-%{+YYY.MM.dd}"
# To use with elastic-composer change the user and password
#user => <elastic username>
#password => "<elastic password>"
#hosts => ["https://es01:9200","https://es02:9200","https://es03:9200"]
#ssl => true
#cacert => "/usr/share/elasticsearch/config/certificates/ca/ca.crt"
}
}
# stdout
# {
# codec => rubydebug
# }
}
Configure pfsense
Go to the Status -> System Logs
page.
Under Enable Remote Logging
[x] Send log messages to remote syslog server
Under Remote log servers
enter your Logstash system IP address.
Under the Remote Syslog Contents
section
Remote Syslog Contents
[x] Firewall Events
You can also enable the sending of default block firewall events.
Go to Status / System Logs / Firewall
Scroll to the bottom of the page and expand the Manage Firewall Log
area.
The Log firewall default blocks
has many options. I choose [x] Log packets matched from the default block rules in the ruleset