pfSense and Elastic Stack

pfSense is a great firewall and Elastic Stack is a great data platform. I finally decided it was a good idea to use them together and see what I can see.

The full configuration file is located at my github pfSense logstockpile configuration file

This configuration is a Logstash configuration that supports the parsing of IPv4 and IPv6 pfsense firewall logs.

If you are interested I have also created a project to deploy a x-pack enabled docker swarm cluster of an elastic stack. Elastic-composer

At this time it does not conform to the Elastic Common Schema (ECS) .

The input section is expecting to receive UDP syslog messages on port 5514 from your pfsense firewall.
These logs will be tagged “PFSENSE” and mangled appropriately.

input
{
	syslog
	{
		port => 5514 
		use_labels => false
		tags => PFSENSE
	}
}
filter
{
	if "PFSENSE" in [tags] { 
	// Lots of logic and mangling here.
	}
}

The output section has examples of multiple outputs. stdout debugging for your convenience

output {
	if "PFSENSE" in [tags] { 
        elasticsearch {
            index => "pfsense-firewall-%{+YYY.MM.dd}"
            #  To use with elastic-composer change the user and password
            #user => <elastic username>
            #password => "<elastic password>"
            #hosts => ["https://es01:9200","https://es02:9200","https://es03:9200"]
            #ssl => true
            #cacert => "/usr/share/elasticsearch/config/certificates/ca/ca.crt"
        }
    }

	# stdout
	# {
	#   codec => rubydebug 
	# }
}

Configure pfsense

Go to the Status -> System Logs page.

Under Enable Remote Logging [x] Send log messages to remote syslog server

Under Remote log servers enter your Logstash system IP address.

Under the Remote Syslog Contents section

Remote Syslog Contents [x] Firewall Events

You can also enable the sending of default block firewall events.

Go to Status / System Logs / Firewall

Scroll to the bottom of the page and expand the Manage Firewall Log area.

The Log firewall default blocks has many options. I choose [x] Log packets matched from the default block rules in the ruleset