diff --git a/11-pfsense.conf b/11-pfsense.conf new file mode 100644 index 0000000000000000000000000000000000000000..cf7533fb34c5e8866db8d50f8da2ae85d426f47f --- /dev/null +++ b/11-pfsense.conf @@ -0,0 +1,42 @@ +filter { + if "PFSense" in [tags] { + grok { + add_tag => [ "firewall" ] + match => [ "message", "<(?<evtid>.*)>(?<datetime>(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\s+(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]) (?:2[0123]|[01]?[0-9]):(?:[0-5][0-9]):(?:[0-5][0-9])) (?<prog>.*?): (?<msg>.*)" ] + } + mutate { + gsub => ["datetime"," "," "] + } + date { + match => [ "datetime", "MMM dd HH:mm:ss" ] + timezone => "America/New_York" + } + mutate { + replace => [ "message", "%{msg}" ] + } + mutate { + remove_field => [ "msg", "datetime" ] + } +} +if [prog] =~ /^filterlog$/ { + mutate { + remove_field => [ "msg", "datetime" ] + } + grok { + patterns_dir => "/etc/logstash/conf.d/patterns" + match => [ "message", "%{PFSENSE_LOG_DATA}%{PFSENSE_IP_SPECIFIC_DATA}%{PFSENSE_IP_DATA}%{PFSENSE_PROTOCOL_DATA}", + "message", "%{PFSENSE_LOG_DATA}%{PFSENSE_IPv4_SPECIFIC_DATA_ECN}%{PFSENSE_IP_DATA}%{PFSENSE_PROTOCOL_DATA}", + "message", "%{PFSENSE_LOG_DATA}%{PFSENSE_IPv6_SPECIFIC_DATA}"] + } + mutate { + lowercase => [ 'proto' ] + } + geoip { + add_tag => [ "GeoIP" ] + source => "src_ip" + # Optional GeoIP database + # Comment out the below if you do not wise to utilize and omit last three steps dealing with (recommended) suffix + database => "/etc/logstash/GeoLite2-City.mmdb" + } + } +}