Created
June 10, 2020 00:07
-
-
Save AfroThundr3007730/c0b7936ea2387a4df918749da2b930f7 to your computer and use it in GitHub Desktop.
Splunk field extractions for pfSense firewall logs (IPv4)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# The first attempt used CSV, but can't break up the first fields | |
[pfsense-fw-ipv4-tcp] | |
INDEXED_EXTRACTIONS = csv | |
LINE_BREAKER = ([\r\n]+) | |
NO_BINARY_CHECK = true | |
SHOULD_LINEMERGE = false | |
category = Network & Security | |
pulldown_type = 1 | |
FIELD_NAMES = log_metadata,sub_rulenum,anchor,tracker,interface,reason,action,direction,ip_version,ip_tos,ip_ecn,ip_ttl,ip_id,ip_offset,ip_flags,ip_proto_id,ip_proto_text,ip_length,ip_src_addr,ip_dest_addr,ip_src_port,ip_dst_port,ip_data_length,tcp_flags,tcp_seq_num,tcp_ack_num,tcp_window,tcp_urg,tcp_opts | |
# Improved version (I needed to distinguish from other syslog sources here) | |
[host::my.firewall.fqdn] | |
EXTRACT-pfsense-fw-ipv4 = ^(?<evt_time>.{15})\s(?<hostname>[A-Za-z0-9-\.]+)\s(?<log_time>.{15})\sfilterlog:\s(?<rulenum>[0-9]+),(?<sub_rulenum>[0-9]*),(?<anchor>[^,]*),(?<tracker>[0-9]*),(?<interface>[^,]*),(?<reason>[^,]*),(?<action>[^,]*),(?<direction>[^,]*),(?<ip_version>[^,]*),(?<ip_tos>[^,]*),(?<ip_ecn>[^,]*),(?<ip_ttl>[^,]*),(?<ip_id>[^,]*),(?<ip_offset>[^,]*),(?<ip_flags>[^,]*),(?<ip_proto_id>[^,]*),(?<ip_proto_text>[^,]*),(?<ip_length>[^,]*),(?<ip_src_addr>[^,]*),(?<ip_dest_addr>[^,]*),(?<ip_src_port>[^,]*),(?<ip_dst_port>[^,]*),(?<ip_data_length>[^,]*)(,(?<tcp_flags>[^,]*),(?<tcp_seq_num>[^,]*),(?<tcp_ack_num>[^,]*),(?<tcp_window>[^,]*),(?<tcp_urg>[^,]*),(?<tcp_opts>[^,]*))?$ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment