Update and rename 11-pfsense.conf to 11-pf.conf

6708d8ae · a3ilson · GitHub · 99f086dc · 6708d8ae
Unverified Commit 6708d8ae authored Aug 25, 2019 by a3ilson Committed by GitHub Aug 25, 2019
--- a/11-pfsense.conf
+++ b/11-pfsense.conf
 filter {
-  if "pfsense" in [tags] {
+  if "pf" in [tags] {
    grok {
      add_tag => [ "firewall" ]
      match => [ "message", "<(?<evtid>.*)>(?<datetime>(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\s+(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]) (?:2[0123]|[01]?[0-9]):(?:[0-5][0-9]):(?:[0-5][0-9])) (?<prog>.*?): (?<msg>.*)" ]
@@ -32,7 +32,7 @@ filter {
              }
              grok {
                  patterns_dir => ["/etc/logstash/conf.d/patterns"]
-                  match => [ "message", "%{PFSENSE_SURICATA}"]
+                  match => [ "message", "%{PF_SURICATA}"]
             }
                if ![geoip] and [ids_src_ip] !~ /^(10\.|192\.168\.)/ {
                  geoip {
@@ -74,10 +74,10 @@ filter {
              }
              grok {
                  patterns_dir => ["/etc/logstash/conf.d/patterns"]
-                  match => [ "message", "%{PFSENSE_APP}%{PFSENSE_APP_DATA}"]
+                  match => [ "message", "%{PF_APP}%{PF_APP_DATA}"]
              }
              mutate {
-                  lowercase => [ 'pfsense_ACTION' ]
+                  lowercase => [ 'pf_ACTION' ]
              }
            }
            if [prog] =~ /^apinger/ {
@@ -92,9 +92,9 @@ filter {
                grok {
                    add_tag => [ "firewall" ]
                    patterns_dir => ["/etc/logstash/conf.d/patterns"]
-                    match => [ "message", "%{PFSENSE_LOG_DATA}%{PFSENSE_IP_SPECIFIC_DATA}%{PFSENSE_IP_DATA}%{PFSENSE_PROTOCOL_DATA}",
+                    match => [ "message", "%{PF_LOG_DATA}%{PF_IP_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}",
-                               "message", "%{PFSENSE_IPv4_SPECIFIC_DATA}%{PFSENSE_IP_DATA}%{PFSENSE_PROTOCOL_DATA}",
+                               "message", "%{PF_IPv4_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}",
-                               "message", "%{PFSENSE_IPv6_SPECIFIC_DATA}%{PFSENSE_IP_DATA}%{PFSENSE_PROTOCOL_DATA}"]
+                               "message", "%{PF_IPv6_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}"]
                }
                mutate {
                    lowercase => [ 'proto' ]