Loading…

IT Security Blog

Click the button below to start exploring my website
Start exploring

Monitoring of pfSense Logs with Splunk

adminSplunk

In this blog post, I will describe how to monitor your pfSense Logs with Splunk. pfSense is an popular open-source firewall. pfSense is using Syslog over udp to send logs to a remote syslog server.

First of all, we need to add a new firewall rule in order to be able to collect the pfSense logs:

firewall-cmd --add-port=7001/udp --permanent
firewall-cmd --reload

Splunk is dividing its data into different indexes. In order to create a new index, we need to create an indexes.conf under /opt/splunk/etc/system/local/indexes.conf as the user splunk with the content:

[fw]
homePath   = $SPLUNK_DB/fwdb/db
coldPath   = $SPLUNK_DB/fwdb/colddb
thawedPath = $SPLUNK_DB/fwdb/thaweddb

Additionally, we need an inputs.conf configuration to collect the udp syslog traffic from pfSense. We will create a new App with the name patrick_inputs_fw to store the inputs.conf configuration for our pfSense: 

mkdir /opt/splunk/etc/apps/patrick_inputs_fw
mkdir /opt/splunk/etc/apps/patrick_inputs_fw/local

We will navigate to the new created folder:

cd /opt/splunk/etc/apps/patrick_inputs_fw/local

We create a new inputs.conf configuration with the following content:

[udp://:7001]
index=fw
sourcetype=pfsense

Splunk needs to be restarted to enable the new configuration:

/opt/splunk/bin/splunk restart

Log forwarding needs to be enabled on the pfSense. You need to navigate to Status/System Logs, click on Settings and scroll down to the section Remote Logging Options. You need to enable the checkbox Send log messages to remote syslog server and enter your IP address and port (in our case 7001) of your Splunk server

Cick on Save to enable log forwarding to your Splunk server.

If everything was configured correct, we can see the logs in Splunk:

As we can see, the logs are not parsed in Splunk because we need a Technical Add-On (TA) for that. Fortunately, there exists a Splunk TA for pfSense in splunkbase, which you can download under the following link:

https://splunkbase.splunk.com/app/1527/

A new Splunk TA App can be installed by clicking on Manage Apps:

Then, click on Install app from file:

Click on Durchsuchen/Choose and choose the downloaded TA-pfsense app. Then, click on Upload:

Now, we are able to use the full power of Splunk Enterprise. For example we can search for blocked traffic on the firewall sort by countries:

Happy Splunking. Leave a comment, if this blog post helped you 🙂