Pfsense Syslog issue

Hi Guys,

I am having issue with syslog forwarding to Graylog.

I am using pfsense, and setup graylog on the centos, I setup what was required, but graylog cannot see syslogs from pfsense.

What i missed? thanksgraylogs

he @anxion

did you checked if any firewall is in between?

Hi Jan,

No extra firewall only pfesense, they are on the same LAN

When I check Packets capture, I see that they communicate to each other ? Only ICMP is blocked.

16:16:20.539702 IP 192.168.0.1.514 > 192.168.0.10.1514: UDP, length 321
16:16:20.539739 IP 192.168.0.1.514 > 192.168.0.10.1514: UDP, length 321
16:16:20.539967 IP 192.168.0.1.514 > 192.168.0.10.1514: UDP, length 320
16:16:20.540010 IP 192.168.0.1.514 > 192.168.0.10.1514: UDP, length 320
16:16:20.540058 IP 192.168.0.10 > 192.168.0.1: ICMP host 192.168.0.10 unreachable - admin prohibited filter, length 357
16:16:20.540099 IP 192.168.0.10 > 192.168.0.1: ICMP host 192.168.0.10 unreachable - admin prohibited filter, length 357
16:16:20.540200 IP 192.168.0.10 > 192.168.0.1: ICMP host 192.168.0.10 unreachable - admin prohibited filter, length 356
16:16:20.540231 IP 192.168.0.10 > 192.168.0.1: ICMP host 192.168.0.10 unreachable - admin prohibited filter, length 356
16:16:20.540962 IP 192.168.0.1.514 > 192.168.0.10.1514: UDP, length 292
16:16:20.541008 IP 192.168.0.1.514 > 192.168.0.10.1514: UDP, length 292
16:16:25.499551 ARP, Request who-has 192.168.0.1 tell 192.168.0.10, length 46
16:16:25.499587 ARP, Reply 192.168.0.1 is-at xxxxxxxx, length 28

Do you think that I should try to disable firewall in Centos?

Hi Jan,

When i disabled Firewall on Centos all is working now. So it means that I need to put a rule for 1514? or 514?

you ingest to 1514 … that is the port that needs to be open…

thanks

Graylog is nightmate to work with pfsense :confused:

I created pipeline (copied from github) Please see below.

But nothing is happening, does not work at all, any idea? thanks

rule “Extract Snort alert fields”
when
has_field(“message”)
then
let m = regex("\s?\[(\d+):(\d+):(\d+)\] (.+?) \[Classification: (.+?)\] \[Priority: (\d+)]: \<(.+?)\> \{(.+?)\} (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(:(\d{1,5}))? -> (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(:(\d{1,5}))?\R?", to_string($message.message));

set_field(“snort_alert”, true);
set_field(“generator_id”, m[“0”]);
set_field(“signature_id”, m[“1”]);
set_field(“signature_revision_id”, m[“2”]);
set_field(“description”, m[“3”]);
set_field(“classification”, m[“4”]);
set_field(“priority”, to_long(m[“5”]));
set_field(“interface”, m[“6”]);
set_field(“protocol”, m[“7”]);
set_field(“src_addr”, m[“8”]);
set_field(“src_port”, to_long(m[“10”]));
set_field(“dst_addr”, m[“11”]);
set_field(“dst_port”, to_long(m[“13”]));
end

Hey I updated Hobadee’s version of pfsense Extractor for Graylog 3.0 and it works so far. You can check it on my GitHub account. So far everything works good for me and I plan to expand it for IPSec logs. :slight_smile:

1 Like

Hi

You just upload it ?

thanks,

I have added your extractor, however still dont see it in search. Please see image below.

What Input settings are you using? For pfSense logs I am using Syslog UDP. Then I created specific Stream for pfSense, and also specific index, but that shouldn’t cause the issue I believe.

Also check Elasticsearch logs, maybe you will find there something that would point to some error.

1 Like

hI
I Use UDP syslog. The difference that I have noticed I have more of these, please see below.

Yes now you can filter search by each of the fields from the pfSense extractors.

Those logs in the backgrounds looks like pfsense logs tho, only in raw format of course.

You are keep trying to filter based on source input, I presume you tried simple Search all logs regard the input, to see if there are pfsense logs?

1 Like

Hi Facyber,

I am new with greylog. :confused:

I was following this tutorial.

I followed only official documentation, we are not using grafana or something else, pure Graylog only. I suggest you to check Elasticsearch log files. :confused:

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.