From dbb9f4f360b40099858e9573aba8d6fcf5714428 Mon Sep 17 00:00:00 2001
From: Andrew <a@3ilson.com>
Date: Tue, 10 Sep 2019 09:05:25 -0400
Subject: [PATCH] Update pfv100.grok

swedishmike provided OPENVPN grok pattern
---
 pfv100.grok | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pfv100.grok b/pfv100.grok
index 1d3596f..dc580e9 100644
--- a/pfv100.grok
+++ b/pfv100.grok
@@ -49,5 +49,8 @@ PF_APP_LOGOUT User (%{DATA:pf_ACTION}) for user \'(%{DATA:pf_USER})\' from: (%{G
 PF_APP_ERROR webConfigurator (%{DATA:pf_ACTION}) for \'(%{DATA:pf_USER})\' from (%{GREEDYDATA:pf_REMOTE_IP})
 PF_APP_GEN (%{GREEDYDATA:pf_ACTION})
 
+# OPENVPN
+PF_OPENVPN_CONNECTION %{IP:vpn_src_ip}\:%{INT:vpn_src_port}%{SPACE}\[%{DATA:vpn_client}\]%{SPACE}Peer%{SPACE}Connection%{SPACE}Initiated%{SPACE}with%{GREEDYDATA}
+
 # SURICATA
 SURICATA %{SPACE}\[%{NUMBER:ids_gen_id}:%{NUMBER:ids_sig_id}:%{NUMBER:ids_sig_rev}\]%{SPACE}%{GREEDYDATA:ids_desc}%{SPACE}\[Classification:%{SPACE}%{GREEDYDATA:ids_class}\]%{SPACE}\[Priority:%{SPACE}%{NUMBER:ids_pri}\]%{SPACE}{%{WORD:ids_proto}}%{SPACE}%{IP:ids_src_ip}:%{NUMBER:ids_src_port}%{SPACE}->%{SPACE}%{IP:ids_dest_ip}:%{NUMBER:ids_dest_port}
-- 
GitLab