I am new to this so please bare with me as I need to take small steps to undertand this. I am trying to parse PFSense 2.4.4 logs into the Elastic Stack 6.5 which are sent via syslog. I am getting a bit confused with some logs and here are the questions I have this far:
Even though the syslog events seem to have the fields separated in the right mappings I still see the message field still packs a lump of field data separated by columns, which I would assume only happens when there's parsing errors, or is this perhaps a feature for keeping the raw event even if the log gets parsed correctly?
In the tags field of the events I see: _grokparsefailure, PFSense, firewall, GeoIP. Does that mean that there is a parsing error in regards to the grok failure part? How about the rest of the tags? Or does that mean those are the available tags?
Why is geoip only running on the public ip address of my router? I think it would be more usefull to me to have that information on the external ip addresses despite the traffic direction? Can this be changed and if so, how?
Thanks in advance.