Graylog Extractors for pfSense 2.2 filter logs

Hi all,

I’m trying out Graylog for log collection, aggregation, and analysis. It’s free and pretty damn easy to deploy, available in OVA format.

The first thing I noticed is there seemed to be no extractors for pfSense 2.2’s new log format. Extractors allow you to parse a syslog message and place certain values into ‘fields’ for analysis or use in graphs.

Here’s one I prepared relatively quickly. You can import by:

  1. Click System -> Inputs in the Graylog UI
  2. Click ‘Manage extractors’ next to the relevant input
  3. Click ‘Import extractors’ in the ‘Actions’ menu at the top right of the page
  4. Paste the below script into the window and then click ‘Add extractors to input’

The extractors will parse the following fields out of the pfSense 2.2 filterlog messages:

  • Rule number into pfsense_filter_rulenum
  • Direction into pfsense_filter_direction
  • Ingress interface into pfsense_filter_ingress
  • Action into pfsense_filter_action
  • Protocol into pfsense_filter_proto
  • Source IP into pfsense_filter_sourceip
  • Source Port into pfsense_filter_sourceport
  • Destination IP into pfsense_filter_destip
  • Destination Port into pfsense_filter_destport

Right now they only interpret IPv4 logs, IPv6 log entries don’t get parsed (thanks to the condition regex) as they are formatted differently.

The script is available here, or click ‘Continue Reading’.

Hope this helps!

(more…)

2015-02-27 10_37_36-Remote Desktop Manager Free [APUTIL02]

NetApp & Powershell – Snapshot Report

This post follows on from my last, where I created a script to send an email report when running dedupe operations were detected.

Utilizing the same script, I made some quick modifications to have it send an email report of volume snapshots and their sizes/creation date. Here’s what it looks like.

2015-02-27 10_36_20-NetApp Volume Snapshot Report - Message (HTML)

The syntax for the report is pretty much the same as the last script.

.\NetApp-SnapshotReport.ps1 -Controller controller1,controller2 -Username <user> -Password <pass> -SMTPServer <server> -MailFrom <Email From> -MailTo <Email To>

Download the script here. I currently have it configured as a scheduled task running every morning so we have a daily report of current volume snapshots, and it works well.

Enjoy!

 

2015-02-24 16_54_23-Remote Desktop Manager Free [APUTIL02]

NetApp & Powershell – Report on running dedupe tasks

Hi all,

Recently ran across a misbehaving NetApp where it’s deduplication process would be triggered on a Saturday morning, and still be running come the Monday. It wouldn’t happen on every scheduled run, but when it did, it hurt storage performance significantly. We’re working on the usual tasks, there’s a lot of misaligned data on the volume. But in the meantime, I used the NetApp Data ONTAP PowerShell Module to create a little script that will shoot an email if it detects a running SIS process.

Configure it as a scheduled task on a system that has the DataONTAP powershell module installed. Here’s an example of the command line parameters:

.\NetApp-ActiveDedupeAlert.ps1 -Controller controller1,controller2 -Username <user> -Password <"pass"> -SMTPServer <server> -MailFrom <Email From> -MailTo <Email To>

If the script detects any running SIS processes, it’ll shoot off an email that looks like this:

Dedup Alert Email

You can grab the code here, or click the ‘Read More’ button to see the code.

(more…)