PFSense Log Clarification


(John Smith) #1

Hi there,

I am new to this so please bare with me as I need to take small steps to undertand this. I am trying to parse PFSense 2.4.4 logs into the Elastic Stack 6.5 which are sent via syslog. I am getting a bit confused with some logs and here are the questions I have this far:

  1. Even though the syslog events seem to have the fields separated in the right mappings I still see the message field still packs a lump of field data separated by columns, which I would assume only happens when there's parsing errors, or is this perhaps a feature for keeping the raw event even if the log gets parsed correctly?

  2. In the tags field of the events I see: _grokparsefailure, PFSense, firewall, GeoIP. Does that mean that there is a parsing error in regards to the grok failure part? How about the rest of the tags? Or does that mean those are the available tags?

  3. Why is geoip only running on the public ip address of my router? I think it would be more usefull to me to have that information on the external ip addresses despite the traffic direction? Can this be changed and if so, how?

Thanks in advance.


(Lewis Barclay) #2

Welcome!

The message field will remain until you issue a "remove_field" command - you are correct. When parsing data it will do nothing to the original field, assuming you do not overwrite it.

_grokparsefailure means that your Grok filter is not fully parsing the log line correctly. You may find many of the fields are correct and it might just be failing on a little bit. The tags are also set somewhere else in your input or filter.

GeoIP runs on whatever you give it as the input. So if it is running on the public address of your router, that means you have told GeoIP to run on the public address of your router :slight_smile: