We have a new Elastic Cloud deployment where we are collecting Sysmon and Windows logs from a server in a remote data center. We have that Windows server setup with Filebeat listening for inbound syslog so that we can also collect and forward logs from the Pfsense firewall to Elastic Cloud.
We see the Pfsense firewall log data in Elastic Cloud but we have two issues I'm hoping someone can help us with:
-
The Pfsense firewall logs are not being properly parsed so that the individual fields and data are being extracted. It seems like we need a Grok for these logs to help Elastic Cloud parse them correctly but we're not sure how to do that given our setup using Elastic Cloud and Filebeat.
-
Since we're using Filebeat on the Windows server to collect and forward the Pfsense firewall logs to Elastic Cloud, all of the firewall events show up in Kibana as being "from the Windows host", not as a separate firewall host.