I only need to display the Ips that are coming from a remote PFSENSE firewall on kibana but I couldn't do it, can anyone help me?
input {
beats {
port => 5044
}
}This is my filter
filter{
dissect { mapping => { "message" => "<%{syslog_pri}>%{[@metadata][ts]}
%{+[@metadata][ts]} %{+[@metadata][ts]} filterlog: %{restOfLine}" } }
date { match => [ "[@metadata][ts]", "MMM dd HH:mm:ss" ] }
grok { match => { "restOfLine" => "%{IP:srcIP},%{IP:dstIP}" } }
}This is my output.conf
output {
elasticsearch {
hosts => ["localhost:9200"]
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
}This is a sample log that are coming from port 5002
nettec@Ubuntu-ELK:/etc/logstash/conf.d$ nc -l -u 10.0.1.4 5002
Nov 3 08:43:50 filterlog: 5,,,1000000103,igb1,match,block,in,4,0x0,,64,48260,0,DF,6,tcp,60,10.0.5.49,189.125.77.80,42728,80,0,S,1034372705,,14600,,mss;sackOK;TS;nop;wscale<1
I'm not aware of pfsense being able to send logs as beat-input. I recommend looking at https://github.com/3ilson/pfelk - and further have a look at https://github.com/3ilson/pfelk/blob/master/install/configuration.md
Using the pfelk at home on my lab-server and with some additional configuration it's doing a great job so far.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.