I want to configure logstash to receive logs from pfsense but i have an error when i tested the configuration via :
/usr/share/logstash/bin/logstash --config.test_and_exit --log.level=debug -f /etc/logstash/conf.d/ --path.settings /etc/logstash
01-inputs.conf
input {
tcp {
type => "syslog"
port => 5140
}
}
#udp syslog stream via 5140
input {
udp {
type => "syslog"
port => 5140
}
}
input {
beats {
port => 5044
}
}
- pipeline.id: main
path.config: "/etc/logstash/conf.d/*.conf"
Hi @MOUNA1
sorry I was not clear, please share the content of the files under the path /etc/logstash/conf.d/
01-inputs.conf
input {
tcp {
type => "syslog"
port => 5140
}
}
#udp syslog stream via 5140
input {
udp {
type => "syslog"
port => 5140
}
}
input {
beats {
port => 5044
}
}
10-syslog.conf
filter {
if [type] == "syslog" {
if [host] =~ /10.0.0.1/ {
mutate {
add_tag => ["pfsense", "Ready"]
}
}
if "Ready" not in [tags] {
mutate {
add_tag => [ "syslog" ]
}
}
}
}
filter {
if [type] == "syslog" {
mutate {
remove_tag => "Ready"
}
}
}
filter {
if "syslog" in [tags] {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST>
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
locale => "en"
}
if !("_grokparsefailure" in [tags]) {
mutate {
replace => [ "@source_host", "%{syslog_hostname}" ]
replace => [ "@message", "%{syslog_message}" ]
}
}
}
mutate {
remove_field => [ "syslog_hostname", "syslog_message", "syslog_timestamp">
}
}
}
11-pfsense.conf
filter {
if "pfsense" in [tags] {
grok {
add_tag => [ "firewall" ]
match => [ "message", "<(?.*)>(?(?:Jan(?:uary)?|Feb(?:ru>
}
mutate {
gsub => ["datetime"," "," "]
}
date {
match => [ "datetime", "MMM dd HH:mm:ss" ]
timezone => "%{mytz}""
}
mutate {
replace => [ "message", "%{msg}" ]
}
mutate {
remove_field => [ "msg", "datetime" ]
}
if [prog] =~ /^dhcpd$/ {
mutate {
add_tag => [ "dhcpd" ]
}
grok {
patterns_dir => ["/etc/logstash/conf.d/patterns"]
match => [ "message", "%{DHCPD}"]
}
}
if [prog] =~ /^suricata/ {
mutate {
add_tag => [ "SuricataIDPS" ]
}
grok {
patterns_dir => ["/etc/logstash/conf.d/patterns"]
match => [ "message", "%{PFSENSE_SURICATA}"]
}
if ![geoip] and [ids_src_ip] !~ /^(10.|10.0.)/ {
geoip {
add_tag => [ "GeoIP" ]
source => "ids_src_ip"
database => "/etc/logstash/GeoLite2-City.mmdb"
}
}
if [prog] =~ /^suricata/ {
mutate {
add_tag => [ "ET-Sig" ]
add_field => [ "Signature_Info", "http://doc.emergingthreat>
}
}
}
if [prog] =~ /^charon$/ {
mutate {
add_tag => [ "ipsec" ]
}
}
if [prog] =~ /^barnyard2/ {
mutate {
add_tag => [ "barnyard2" ]
}
}
if [prog] =~ /^openvpn/ {
mutate {
add_tag => [ "openvpn" ]
}
}
if [prog] =~ /^ntpd/ {
mutate {
add_tag => [ "ntpd" ]
}
}
if [prog] =~ /^php-fpm/ {
mutate {
add_tag => [ "web_portal" ]
}
grok {
patterns_dir => ["/etc/logstash/conf.d/patterns"]
match => [ "message", "%{PFSENSE_APP}%{PFSENSE_APP_DATA}"]
}
mutate {
lowercase => [ 'pfsense_ACTION' ]
}
}
if [prog] =~ /^apinger/ {
mutate {
add_tag => [ "apinger" ]
}
}
if [prog] =~ /^filterlog$/ {
mutate {
remove_field => [ "msg", "datetime" ]
}
grok {
add_tag => [ "firewall" ]
patterns_dir => ["/etc/logstash/conf.d/patterns"]
match => [ "message", "%{PFSENSE_LOG_DATA}%{PFSENSE_IP_SPEC>
"message", "%{PFSENSE_IPv4_SPECIFIC_DATA}%{PFSEN>
"message", "%{PFSENSE_IPv6_SPECIFIC_DATA}%{PFSEN>
}
mutate {
lowercase => [ 'proto' ]
'
}
if ![geoip] and [src_ip] !~ /^(10.|10.0.)/ {
geoip {
add_tag => [ "GeoIP" ]
source => "src_ip"
database => "/etc/logstash/GeoLite2-City.mmdb"
}
}
}
}
}
30-outputs.conf
output {
Elasticsearch {
hosts => ["http://localhost:9200"]
index => "logstash-%{+YYYY.MM.dd}" }
stdout { codec => rubydebug }
}
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.