diff --git a/11-pfsense.conf b/11-pf.conf
similarity index 85%
rename from 11-pfsense.conf
rename to 11-pf.conf
index 78a17b75efb407e1de0ba651b98059a7217fe30d..211c13de07dfdff1b18c73104a2576fc6488bdd1 100644
--- a/11-pfsense.conf
+++ b/11-pf.conf
@@ -1,5 +1,5 @@
filter {
- if "pfsense" in [tags] {
+ if "pf" in [tags] {
grok {
add_tag => [ "firewall" ]
match => [ "message", "<(?<evtid>.*)>(?<datetime>(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\s+(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]) (?:2[0123]|[01]?[0-9]):(?:[0-5][0-9]):(?:[0-5][0-9])) (?<prog>.*?): (?<msg>.*)" ]
@@ -32,7 +32,7 @@ filter {
}
grok {
patterns_dir => ["/etc/logstash/conf.d/patterns"]
- match => [ "message", "%{PFSENSE_SURICATA}"]
+ match => [ "message", "%{PF_SURICATA}"]
}
if ![geoip] and [ids_src_ip] !~ /^(10\.|192\.168\.)/ {
geoip {
@@ -74,10 +74,10 @@ filter {
}
grok {
patterns_dir => ["/etc/logstash/conf.d/patterns"]
- match => [ "message", "%{PFSENSE_APP}%{PFSENSE_APP_DATA}"]
+ match => [ "message", "%{PF_APP}%{PF_APP_DATA}"]
}
mutate {
- lowercase => [ 'pfsense_ACTION' ]
+ lowercase => [ 'pf_ACTION' ]
}
}
if [prog] =~ /^apinger/ {
@@ -92,9 +92,9 @@ filter {
grok {
add_tag => [ "firewall" ]
patterns_dir => ["/etc/logstash/conf.d/patterns"]
- match => [ "message", "%{PFSENSE_LOG_DATA}%{PFSENSE_IP_SPECIFIC_DATA}%{PFSENSE_IP_DATA}%{PFSENSE_PROTOCOL_DATA}",
- "message", "%{PFSENSE_IPv4_SPECIFIC_DATA}%{PFSENSE_IP_DATA}%{PFSENSE_PROTOCOL_DATA}",
- "message", "%{PFSENSE_IPv6_SPECIFIC_DATA}%{PFSENSE_IP_DATA}%{PFSENSE_PROTOCOL_DATA}"]
+ match => [ "message", "%{PF_LOG_DATA}%{PF_IP_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}",
+ "message", "%{PF_IPv4_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}",
+ "message", "%{PF_IPv6_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}"]
}
mutate {
lowercase => [ 'proto' ]