Create 11-pfsense.conf

11-pfsense.conf

+filter {  
+  if "PFSense" in [tags] {
+    grok {
+      add_tag => [ "firewall" ]
+      match => [ "message", "<(?<evtid>.*)>(?<datetime>(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\s+(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]) (?:2[0123]|[01]?[0-9]):(?:[0-5][0-9]):(?:[0-5][0-9])) (?<prog>.*?): (?<msg>.*)" ]
+    }
+    mutate {
+      gsub => ["datetime","  "," "]
+    }
+    date {
+      match => [ "datetime", "MMM dd HH:mm:ss" ]
+      timezone => "America/New_York"
+    }
+    mutate {
+      replace => [ "message", "%{msg}" ]
+    }
+    mutate {
+      remove_field => [ "msg", "datetime" ]
+    }
+}
+if [prog] =~ /^filterlog$/ {  
+    mutate {
+      remove_field => [ "msg", "datetime" ]
+    }
+    grok {
+      patterns_dir => "/etc/logstash/conf.d/patterns"
+      match => [ "message", "%{PFSENSE_LOG_DATA}%{PFSENSE_IP_SPECIFIC_DATA}%{PFSENSE_IP_DATA}%{PFSENSE_PROTOCOL_DATA}",
+                 "message", "%{PFSENSE_LOG_DATA}%{PFSENSE_IPv4_SPECIFIC_DATA_ECN}%{PFSENSE_IP_DATA}%{PFSENSE_PROTOCOL_DATA}",
+                 "message", "%{PFSENSE_LOG_DATA}%{PFSENSE_IPv6_SPECIFIC_DATA}"]
+    }
+    mutate {
+      lowercase => [ 'proto' ]
+    }
+    geoip {
+      add_tag => [ "GeoIP" ]
+      source => "src_ip"
+      # Optional GeoIP database
+      # Comment out the below if you do not wise to utilize and omit last three steps dealing with (recommended) suffix
+      database => "/etc/logstash/GeoLite2-City.mmdb"
+    }
+  }
+}