From b40847fdd3dbafb5652a825abdc150a61bc5a24e Mon Sep 17 00:00:00 2001
From: Andrew <a@3ilson.com>
Date: Tue, 10 Sep 2019 11:51:32 -0400
Subject: [PATCH] Update 11-pf.conf

Fix for OPNsense v19.7+
---
 11-pf.conf | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/11-pf.conf b/11-pf.conf
index ec49c72..d3f6f59 100644
--- a/11-pf.conf
+++ b/11-pf.conf
@@ -2,7 +2,10 @@ filter {
   if "pf" in [tags] {
     grok {
       add_tag => [ "firewall" ]
-      match => [ "message", "<(?<evtid>.*)>(?<datetime>(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\s+(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]) (?:2[0123]|[01]?[0-9]):(?:[0-5][0-9]):(?:[0-5][0-9])) (?<prog>.*?): (?<msg>.*)" ]
+      #PFsense
+      #match => [ "message", "<(?<evtid>.*)>(?<datetime>(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\s+(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]) (?:2[0123]|[01]?[0-9]):(?:[0-5][0-9]):(?:[0-5][0-9])) (?<prog>.*?): (?<msg>.*)" ]
+      #OPNsense
+      match => [ "message", "<(?<evtid>.*)>(?<datetime>(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\s+(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]) (?:2[0123]|[01]?[0-9]):(?:[0-5][0-9]):(?:[0-5][0-9])) (?<firewall>.*?) (?<prog>.*?): (?<msg>.*)" ]
     }
     mutate {
       gsub => ["datetime","  "," "]
-- 
GitLab