devopstales / pfsense-graylog Goto Github PK

This project forked from opc40772/pfsense-graylog

Pfsense Logs Parsed by Graylog

Home Page: https://devopstales.github.io

License: GNU General Public License v3.0

pfsense-graylog's Introduction

We will parse the log records generated by the PfSense Firewall. We already have our graylog server running and we will start preparing the terrain to capture those logs records.

Indices

We now create the Pfsense index in System / Indexes

Index shard 4 and Index replicas 0, the rotation of the Index time index and the retention can be deleted, closure of an index according to the maximum number of indices or doing nothing. In my case, I set it to rotate monthly and eliminate the indexes after 12 months. In short there are many ways to establish the rotation. This index is created immediately.

and with cerebro we can check it

Content Pack

This content pack includes Input rsyslog type , extractors, lookup tables, Data adapters for lockup tables and Cache for lookup tables. To download these files we install git to clone the repository.

#apt-get install git

and then we cloned it

#git clone https://github.com/devopstales/pfsense-graylog

We will locate the CSV data of the lookup tables to later convert the number of ports to services name. From the git that you just cloned, we selected the service-names-port-numbers.csv file and copied it to /etc/graylog/server.

#cp service-names-port-numbers.csv /etc/graylog/server

We now import the file from the Content Pack folder and for them we select in the System / Content Packs the option Import content packs to upload the file.

As we see, it is add to the list

Now we select the Pfsense content pack

And we apply it

Streams

We edit the stream of pfsense in Streams to associate the index that we created initially. We mark that it eliminates the coincidences for the default stream 'All message' so that only it stores it in the index of pfsense.

Cerebro

As previously explained, by default graylog for each index that is created generates its own template and applies it every time the index rotates. If we want our own templates we must create them in the same elasticsearch. We will add the field real_timestamp that will be useful when using grafana and we also convert the geo type dest_ip_geolocation and src_ip_geolocation to type geo_point to be used in the World Map panels since graylog does not use this format.

To import personalized template open cerebro and will go to more/index template

We create a new template

In the name we fill it with pfsense-custom and open the git file that has the template and paste its content here.

And then we press the create button.

Now we will stop the graylog service to proceed to eliminate the index through Cerebro.

#systemctl stop graylog-server.service

In Cerebro we stand on top of the index and unfold the options and select delete index.

We start the graylog service again and this will create the index with this template.

#systemctl start graylog-server.service

GeoIP Plugin activation

In Graylog go to System->Configurations and:

Change the order by Message processors, to have the following sequence:

1. AWS Instance Name Lookup
2. Message Filter Chain
3. Pipeline Processor
4. GeoIP Resolver

This should look like:

Enable end update Geo-Location Processor

cd /etc/graylog/server/
wget https://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gz
tar -xzf GeoLite2-City.tar.gz
mv GeoLite2-City_*/GeoLite2-City.mmdb .

Then Update Geo-Location Processor Configuration to Enable Geo-Location processor

Pipelines

The pfsense logs that arrive at graylog, the date and the time are not sent to it, storing in the timestamp field the time they arrive at the graylog itself and this date and time is in UTC format so we must modify it so that it does not there are interpretation problems in grafana time format when displaying them.

We need to edit the pipeline of pfsense then in System/Pipelines

Source of the rule that makes the adjustment of the timestamp that we are going to use in grafana:

    rule "timestamp_pfsense_for_grafana"
     when
     has_field("timestamp")
    then
    // the following date format assumes there's no time zone in the string
     let source_timestamp = parse_date(substring(to_string(now("America/Habana")),0,23), "yyyy-MM-dd'T'HH:mm:ss.SSS");
     let dest_timestamp = format_date(source_timestamp,"yyyy-MM-dd HH:mm:ss");
     set_field("real_timestamp", dest_timestamp);
    end

We save and we have the pipeline ready to later receive the first logs.

Pfsense

We will now prepare Pfsense to send the log logs to the graylog and for this in Status/System Logs/ Settings we will modify the options that will allow us to do so.

We go to the Remote Logging Options section and in Remote log servers we specify the ip address and the port prefixed in the content pack in the pfsense input of graylog that in this case 5442.

We save the configuration.

Graylog

We now go to graylog by selecting the pfsense stream and we will see how it is parsing the log messages creating the fields.

Grafana

Graylog dashboards do not offer the possibilities to my way of seeing that grafana has so our dashboard will do in grafana.

We create the datasource in grafana which we will name Pfsense-Graylog

I share with you a predesigned dashboard in the official grafana site which could be imported.

We select Import dashboard

We upload the downloaded file Upload .json file and associate it with the datasource created for it.

We can already see the dashboard in action.

pfsense-graylog's People

Contributors

Stargazers

Watchers

pfsense-graylog's Issues

speed up extractors

With many logs send to graylog I need to change the extractors from grok pattern to csv patterns and regex.

Extractor conditions not satisfied

The message field from the input never contains the application_name so the extractor is never executed.
In the below example filterlog is not part of the 'message' therefor the extractor is not applied to these items.

The dashboard not working latest grafana

Thanks for your work!
Is there a updated dashboard json file with latest Grafana? It appears the current version of dashboard is no longer compatible with latest version of grafana.
Thanks again.

GROK patterns fail to parse interfaces with "." like VLAN interfaces

Filterlog messages like:
199,,,1582642731,vtnet0.99,match,pass,in,4,0x0,,64,16922,0,DF,17,udp,65,10.0.99.20,10.0.99.1,56672,53,45
cannot be parsed by the grok patterns, as interfaces are defined as WORD and WORD does not contain the "." character.
Instead for me I changed grok pattern PFSENSE_LOG_DATA from:

%{INT:rule},%{INT:sub_rule}?,,%{INT:tracker},%{WORD:iface},%{WORD:reason},%{WORD:action},%{WORD:direction},

TO
%{INT:rule},%{INT:sub_rule}?,,%{INT:tracker},%{USERNAME:iface},%{WORD:reason},%{WORD:action},%{WORD:direction},

USERNAME allows for mostly similar characters to WORD but also contains the ".", allowing the pattern to be matched in case the interface is a VLAN interface.

Content Pack fails to install on Graylog 4.x

Same issue as #6.

Also noticed the Download from GitHub button is broken: https://marketplace.graylog.org/addons/e2f1e6cf-e4ac-4f5b-95ae-e8f377d43187. Can't see that JSON file in newer commits.

Content Pack, error installing with Graylog 3.3

Hello,

apparently it's a common issue with graylog updates breaking content pack compatibility.
I get this message when installing the content pack
Installing content pack failed with status: Error: cannot POST http://<IP>:<PORT>/api/system/content_packs/ebb6c11e-bcff-4686-aaac-6cfafc7b441e/1/installations (500). Could not install Content Pack with ID: ebb6c11e-bcff-4686-aaac-6cfafc7b441e
Not looking for a fixed version, but rather at a way to know where to start... !
thanks

edit: managed to find logs for graylog. simply a conflict with an existing rule on a pipeline.

Question rather than issue

Hi there, thank you for keeping this up-to-date.

I need to ask if there is particular reason I dont have the log files from pfsense shown in graylog. Is this pack only for graphana implementation?

note that raw inputs work just fine.

If it's that the case can you please point me a way to display the log messages also in graylog ? thank you (

Thank you for your effort

Compatibility With OPNsense?

Expected behavior
Since OPNsense is a fork of pfsense and the content pack in the graylog marketplace has a "OPNsense" tag, I thought that this project should also work on the current of OPNsense (e.g. the logs are parsed correctly within graylog).
Current behavior
Logs are sent to graylog as expected, but almost no field but "level" and "facility" is parsed correctly:

The log messages seem to have a different format:
opnsense.lan.localdomain filterlog[74604]: 66,,,0,wg0,match,pass,out,4,0x0,,63,26087,0,DF,17,udp,675,192.168.0.2,192.168.1.15,37160,8089,655

Environment
OPNsense 20.7.3-amd64
Graylog v3.3.8+e223f85
elasticsearch-oss:6.8.10
cerebro 0.9.2

Is there any way to get this great project working with the current version of OPNsense?

Is this working for the latest pfsense 2.6.0?

I follow the instructions, using the same versions of every piece, but I just don't know if my pfsense version is compatible because Graylog just shows a few fields of logs, I think this is the reason Grafana doesn't show info. Could you give me some advice, what can I do?

Thanks in advance!

src_location not being calculated from src_ip_geolocation