From 6708d8ae9be450cc7c82f0054f1f437df4cae7fc Mon Sep 17 00:00:00 2001
From: a3ilson <a@3ilson.com>
Date: Sun, 25 Aug 2019 13:07:13 -0400
Subject: [PATCH] Update and rename 11-pfsense.conf to 11-pf.conf

---
 11-pfsense.conf => 11-pf.conf | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)
 rename 11-pfsense.conf => 11-pf.conf (85%)

diff --git a/11-pfsense.conf b/11-pf.conf
similarity index 85%
rename from 11-pfsense.conf
rename to 11-pf.conf
index 78a17b7..211c13d 100644
--- a/11-pfsense.conf
+++ b/11-pf.conf
@@ -1,5 +1,5 @@
 filter {
-  if "pfsense" in [tags] {
+  if "pf" in [tags] {
     grok {
       add_tag => [ "firewall" ]
       match => [ "message", "<(?<evtid>.*)>(?<datetime>(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\s+(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]) (?:2[0123]|[01]?[0-9]):(?:[0-5][0-9]):(?:[0-5][0-9])) (?<prog>.*?): (?<msg>.*)" ]
@@ -32,7 +32,7 @@ filter {
               }
               grok {
                   patterns_dir => ["/etc/logstash/conf.d/patterns"]
-                  match => [ "message", "%{PFSENSE_SURICATA}"]
+                  match => [ "message", "%{PF_SURICATA}"]
              }
                 if ![geoip] and [ids_src_ip] !~ /^(10\.|192\.168\.)/ {
                   geoip {
@@ -74,10 +74,10 @@ filter {
               }
               grok {
                   patterns_dir => ["/etc/logstash/conf.d/patterns"]
-                  match => [ "message", "%{PFSENSE_APP}%{PFSENSE_APP_DATA}"]
+                  match => [ "message", "%{PF_APP}%{PF_APP_DATA}"]
               }
               mutate {
-                  lowercase => [ 'pfsense_ACTION' ]
+                  lowercase => [ 'pf_ACTION' ]
               }
             }
             if [prog] =~ /^apinger/ {
@@ -92,9 +92,9 @@ filter {
                 grok {
                     add_tag => [ "firewall" ]
                     patterns_dir => ["/etc/logstash/conf.d/patterns"]
-                    match => [ "message", "%{PFSENSE_LOG_DATA}%{PFSENSE_IP_SPECIFIC_DATA}%{PFSENSE_IP_DATA}%{PFSENSE_PROTOCOL_DATA}",
-                               "message", "%{PFSENSE_IPv4_SPECIFIC_DATA}%{PFSENSE_IP_DATA}%{PFSENSE_PROTOCOL_DATA}",
-                               "message", "%{PFSENSE_IPv6_SPECIFIC_DATA}%{PFSENSE_IP_DATA}%{PFSENSE_PROTOCOL_DATA}"]
+                    match => [ "message", "%{PF_LOG_DATA}%{PF_IP_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}",
+                               "message", "%{PF_IPv4_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}",
+                               "message", "%{PF_IPv6_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}"]
                 }
                 mutate {
                     lowercase => [ 'proto' ]
-- 
GitLab