Nagios Log Server filter for pfSense 2.2

This support forum board is for support questions relating to Nagios Log Server, our solution for managing and monitoring critical log data.
Locked
ljorg
Posts: 18
Joined: Wed Jan 14, 2015 6:24 am

Nagios Log Server filter for pfSense 2.2

Post by ljorg »

Hi,

pfSense 2.2 has changed the log format significantly. If you're sending your logs to Nagios Log Server or another implementation of a logstash stack, you need a new filter. I've spent a couple of days getting this to work the way I want it and it pretty much handles anything in the filterlog from pfSense. It doesn't handle any other log at all because I'm not interested in them at the moment.

This is my first effort at writing a logstash filter so some things might be stupid. But I'll be glad if I can save another poor soul a lot of hours getting this to work.

Code: Select all

if [host] =~ /192\.168\.1\.(1|2)/ {
    grok {
      match => [ 'message', '.* %{WORD:program}:%{GREEDYDATA:rest}' ]
    }
	
	if [program] == "filterlog" {
	  # Grab fields up to IP version. The rest will vary depending on IP version.
	  grok {  
		match => [ 'rest', '%{INT:rule_number},%{INT:sub_rule_number},,%{INT:tracker_id},%{WORD:interface},%{WORD:reason},%{WORD:action},%{WORD:direction},%{WORD:ip_version},%{GREEDYDATA:rest2}' ] 
	  }
	  
	  mutate {
		replace => [ 'message', '%{rest2}' ]
	  }
	  
	  if [ip_version] == "4" {
	    # IPv4. Grab field up to dest_ip. Rest can vary.
		grok {
		  match => [ 'message', '%{WORD:tos},(\d+)?,%{INT:ttl},%{INT:id},%{INT:offset},%{WORD:flags},%{INT:protocol_id},%{WORD:protocol},%{INT:length},%{IP:src_ip},%{IP:dest_ip},%{GREEDYDATA:rest3}' ]
		}
		
		if [protocol_id] != 2 {
		  # Non-IGMP has more fields.
		  grok {
		    match => [ 'rest3', '%{WORD:src_port},%{WORD:dest_port}' ]
		  }
		  
		}
	  } else {
	    # IPv6. Grab field up to dest_ip. Rest can vary.
		grok {
		  match => [ 'message', '%{WORD:class},%{WORD:flow_label},%{INT:hop_limit},%{WORD:protocol},%{INT:protocol_id},%{INT:length},%{IPV6:src_ip},%{IPV6:dest_ip},%{GREEDYDATA:rest3}' ]		
		}
		
		mutate {
		  replace => [ 'message', '%{rest3}' ]
		  lowercase => [ 'protocol' ]
		}
	  
		if [message] {
		  # Non-ICMP has more fields
  		  grok {
		    match => [ 'message', '%{INT:src_port},%{INT:dest_port},%{INT:data_length}' ]
		  }
		}
	  }
	  
	  mutate {
        	remove_field => [ 'message' ]
		remove_field => [ 'rest' ]
		remove_field => [ 'rest2' ]
		remove_field => [ 'rest3' ]
		remove_tag => [ '_grokparsefailure' ]
		add_tag => [ 'packetfilter' ]
	  }
	}
}
Top
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:
Contact scottwilkerson

Re: Nagios Log Server filter for pfSense 2.2

Post by scottwilkerson »

Thanks ljorg!
Former Nagios employee
Creator:
Human Design Website
Get Your Human Design Chart
Top
Locked

Return to “Nagios Log Server”