Thorough extractors for pfsense filter logs

Thorough extractors for pfsense filter logs

@greenmoss

View on Github
Open Issues
Stargazers

Installation

  • Open the Graylog administrative interface
  • Open the “System/Inputs” menu
  • Select “Inputs”
  • Select “Manage Extractors” for the input that receives Pfsense logs
  • Select “Actions” menu
  • Select “Import extractors”
  • Paste the contents of extractors.json into the text box
  • Select the button “Add extractors to input”

Usage

  • Open your Graylog search
  • Search for pfsense_common_log_data
  • The search results should now be showing all TCP/UDP/ICMP data as separate fields

Background

This is intended to be a complete implementation of the Pfsense BNF output format. Note that a few of the icmp return types are not yet implemented, due to me not yet having example traffic to test them against!

I tried a few other sets of Graylog content packs and extractors. However the ones I tried had a lot of embedded regexp and pattern duplication. This caused them to miss multiple pfsense filter messages.

The rules in this repository are instead intended to parse as much as possible. This allows them to be easily extended further, should the specifications evolve. This also makes it less likely for an overly-specific rule to completely miss parsing an entire pfsense log line.

These extractors generate a lot of extra/intermediate fields. This may be overly verbose, or it may aid in debugging/extending, depending on your point of view.