I’m trying out Graylog for log collection, aggregation, and analysis. It’s free and pretty damn easy to deploy, available in OVA format.
The first thing I noticed is there seemed to be no extractors for pfSense 2.2’s new log format. Extractors allow you to parse a syslog message and place certain values into ‘fields’ for analysis or use in graphs.
Here’s one I prepared relatively quickly. You can import by:
- Click System -> Inputs in the Graylog UI
- Click ‘Manage extractors’ next to the relevant input
- Click ‘Import extractors’ in the ‘Actions’ menu at the top right of the page
- Paste the below script into the window and then click ‘Add extractors to input’
The extractors will parse the following fields out of the pfSense 2.2 filterlog messages:
- Rule number into pfsense_filter_rulenum
- Direction into pfsense_filter_direction
- Ingress interface into pfsense_filter_ingress
- Action into pfsense_filter_action
- Protocol into pfsense_filter_proto
- Source IP into pfsense_filter_sourceip
- Source Port into pfsense_filter_sourceport
- Destination IP into pfsense_filter_destip
- Destination Port into pfsense_filter_destport
Right now they only interpret IPv4 logs, IPv6 log entries don’t get parsed (thanks to the condition regex) as they are formatted differently.
The script is available here, or click ‘Continue Reading’.
Hope this helps!