Filter pfsense Logs in Logstash

Snadro · November 13, 2019, 8:54am

Hi erveryone.

I looking for to use ELK-Stack as intrusion decetion system (IDS). i'm new in ELK and it is my first setup of en IDS.

Our-Setup:
Firewall: pfsense
ELK-Stack Version: 6.8.4
Java-Version: 1.8.0_222-8u222-b10-1ubuntu1~18.04.1-b10

An pfsense Syslog file shows like the following:
5,16777216,,1000000103,igb1,match,block,in,4,0x10,,128,0,0,none,17,udp,328,198.51.100.1,198.51.100.2,67,68,308

Insiede this message there are two IP-adresses. the First one ist the source of the "attack" ant the second one ist the destination, where the hacker want to go. Now i want to Filter the Log, that I'm able to count how many attacks are coming from an address.

If you need some additional informations plese write me. I don't send the actuerl config directly here, because of spam. The ELK-Stack Setup i had done with the following guide:

github.com

a3ilson/pfelk/blob/master/README.md

## Welcome to (pfSense/OPNsense) + Elastic Stack 

![pfelk dashboard](https://github.com/a3ilson/pfelk/raw/master/pf%2BELK.png)
You can view installation guide guide on [3ilson.org YouTube Channel](https://www.youtube.com/3ilsonorg).


### Prerequisites
- Ubuntu Server v18.04+
- pfSense v2.4.4+ or OPNsense 19.7.4+
- The following was tested with Java v12 and Elastic Stack v7.4

# Preparation

### 1. Add Oracle Java Repository
```
sudo add-apt-repository ppa:linuxuprising/java
```

### 2. Add Maxmind Repository
```

This file has been truncated. show original

system · December 11, 2019, 8:54am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.