From 5e4892e4238484ea6ca7460f6d7b3734d1a689c3 Mon Sep 17 00:00:00 2001 From: a3ilson <a@3ilson.com> Date: Sat, 11 Nov 2017 10:13:32 -0500 Subject: [PATCH] Update 11-pfsense.conf Updated to support multiple PFSense's --- 11-pfsense.conf | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/11-pfsense.conf b/11-pfsense.conf index cf7533f..658c398 100644 --- a/11-pfsense.conf +++ b/11-pfsense.conf @@ -1,5 +1,5 @@ filter { - if "PFSense" in [tags] { + if "PFSense1" in [tags] { grok { add_tag => [ "firewall" ] match => [ "message", "<(?<evtid>.*)>(?<datetime>(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\s+(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]) (?:2[0123]|[01]?[0-9]):(?:[0-5][0-9]):(?:[0-5][0-9])) (?<prog>.*?): (?<msg>.*)" ] @@ -18,6 +18,26 @@ filter { remove_field => [ "msg", "datetime" ] } } +#Support for multiple PFSense ingest +# if "PFSense2" in [tags] { +# grok { +# add_tag => [ "firewall" ] +# match => [ "message", "<(?<evtid>.*)>(?<datetime>(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\s+(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]) (?:2[0123]|[01]?[0-9]):(?:[0-5][0-9]):(?:[0-5][0-9])) (?<prog>.*?): (?<msg>.*)" ] +# } +# mutate { +# gsub => ["datetime"," "," "] +# } +# date { +# match => [ "datetime", "MMM dd HH:mm:ss" ] +# timezone => "America/New_York" +# } +# mutate { +# replace => [ "message", "%{msg}" ] +# } +# mutate { +# remove_field => [ "msg", "datetime" ] +# } +#} if [prog] =~ /^filterlog$/ { mutate { remove_field => [ "msg", "datetime" ] -- GitLab