Hello Elastic team:)
is it possible to utilize the new pfSense integration to ship logs from PfSense to Elastic Cloud?
AFAIK there's no Elastic Agent available for FreeBSD OS..
tnx🙏
I created the PfSense integration, it receives logs via syslog not via log files on the system itself. You will need to run it on a central location to receive the syslog and it doesn't need to be freeBSD.
2 Likes
Appreciate Your fast response!
Thank You🙏
For anyone looking to ship pfSense firewall logs to Elastic Cloud,
our solution was:
- pfSense UI - send logs to intermediate Linux host via UDP port 9100
- Linux host - install Elastic Agent
- Elastic Cloud - Add pfSense integration to Agent policy
followed this guide:
Quick start: Get logs, metrics, and uptime data into the Elastic Stack | Fleet and Elastic Agent Guide [7.15] | Elastic
1 Like
@eldadpuzach Let me know if there is anything that should be added to the PfSense integration. There are definitely more log types that could be added. I'd love the feedback.
1 Like
I've been trying the syslog approach mentioned here before. It has the ugly limitation that it can only ship 512 (? or 1024?) bytes of data per log line - which is not enough e.g. for Suricata / Zeek alerts. Back then, I was unable to raise the syslog packet size limitation in pfSense.
I ended up grabbing filebeat 7.10 from the freebsd package sources (https://pkgs.org/search/?q=beats). This works, but you need to be very careful that you match the exact freebsd version that your pfsense uses.
Correct. I ran into that issue a long time ago. My solution was to send the suricata logs to Kafka and then have filebeat read from Kafka using the suricata module.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.