Syslog Configuration on logstash pfSense

Elastic Stack Logstash
1

Hi,
I was wondering if someone could help me out or guide me.
So I got everything up and running my only issue that when im trying to filter my syslog dashboard (the system logs of pfSense) it shows nothing while on my other dashboard of pfSense firewall it shows everything perfect see pics.
I was wondering on my 10-syslog.conf what could be the issue?

http://pastebin.com/0ykcDLAM
http://pastebin.com/KZpkxmSi

Clipboarder.2015.08.30-013.png1347×720 34.1 KB
Clipboarder.2015.08.30-014.png1349×727 98 KB

Thank you

2

bump?

3

BUMP? anyone? :frowning:

4

So been trying to get the system logs to filter correctly I was getting some help from someone but Cant seem to get it. This is what he told me to do but theres conflict because pfsense is sending the logs at port 5140. Now i guess I was wondering if it could be possible to add a default filter for the 10-syslog.conf instead of using rsyslog?

Thank you

  1. Install Puppet.

  2. Apply this module: https://github.com/naturalis/puppet-role_rsyslog.

The module will install rsyslog, it is basically only a role
module to apply this module: saz/rsyslog. The config file that will be set up
and used is /etc/rsyslog.d/server.conf. If you start the service sudo
service rsyslog start, it will listen on port 514 for syslog messages. You can
check this by going to the /srv/log/ directory. There should be a file called
messages. It will be created at the moment the first messages are received. If
you open the file, you should see your pfsense syslog messages coming in.

  1. On the same machine install Logstash.

I am using version 1.4, and did this with this module, again
a role module: https://github.com/rudibroekhuizen/puppet-role_logstash/blob/master/manifests/init.pp. Parameter
$configfile = 'logstash-syslog-pfsense-02.conf'. In the file you can see that I
use a simple file input, which looks at /srv/log/messages. The results are than
send to Elasticsearch.

  1. Check settings in Kibana. Is your index setting correct.
    I use a non default index name, see the logstash output filter. My queries in
    Kibana look like this:

All events:

tags: "syslog-pfsense" AND program:
"filterlog"

Pass:

tags: "syslog-pfsense" AND action:
"pass"

Block:

tags: "syslog-pfsense" AND action:
"block"

Inbound traffic by IP:

tags:"syslog-pfsense" AND direction:
"in" AND action: "pass"