Pfsense Snort logs not parsing (Resolved)

Hello all,

I have just started using Graylog and I am not having much of success parsing logs from snort installed on pfsense. I have followed this tutorial to point and I still don’t see individual fields as show at end of this post.

Any help/insight is appreciated.

All I see is this

Did you create a Processing pipeline and have that then connected to a stream that just holds all snort messages?

Yep, I have everything configured as per instructions.

The simulation even works fine.

I had to change order

*System > Configurations

Also changed pipeline to use this code

rule "Extract Snort alert fields"
when
  has_field("message")
then
  let m = regex("\\[(\\d+):(\\d+):(\\d+)\\] (.+?) \\[Classification: (.+?)\\] \\[Priority: (\\d+)]: \\<(.+?)\\> \\{(.+?)\\} (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})(:(\\d{1,5}))? -> (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})(:(\\d{1,5}))?\\R?", to_string($message.message));

  set_field("snort_alert", true);

  set_field("generator_id", m["0"]);
  set_field("signature_id", m["1"]);
  set_field("signature_revision_id", m["2"]);

  set_field("description", m["3"]);
  set_field("classification", m["4"]);
  set_field("priority", to_long(m["5"]));
  set_field("protocol", m["7"]);

  set_field("src_addr", m["8"]);
  set_field("src_port", to_long(m["10"]));

  set_field("dst_addr", m["11"]);
  set_field("dst_port", to_long(m["13"]));
end

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.