bndabbs/pfsense-logstash.conf

## pfsense-logstash.conf
filter {
    grok {
      match => [
        "message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:timestamp} %{PROG:program}: %{GREEDYDATA:message}"
      ]
      overwrite => [ "message" ]
      add_tag => [ "pfsense" ]
    }

    syslog_pri {}

    if [program] == "filterlog" {
      dissect {
        mapping => {
          "message" => "%{rule},%{sub_rule},%{anchor},%{tracker},%{interface},%{reason},%{action},%{direction},%{ip_version},%{message}"
        }
      }
    }

    if [program] == "filterlog" and [ip_version] == "4" {
      dissect {
        mapping => {
          "message" => "%{tos},%{ecn},%{ttl},%{id},%{offset},%{flags},%{protocol_id},%{protocol},%{length},%{source.ip},%{destination.ip},%{message}"
        }
      }
    }

    if [program] == "filterlog" and [ip_version] == "6" {
      dissect {
        mapping => {
          "message" => "%{class},%{flow_label},%{hop_limit},%{protocol},%{protocol_id},%{length},%{source.ip},%{destination.ip},%{message}"
        }
      }
    }

    if [program] == "filterlog" and [protocol_id] == "1" {
      dissect {
        mapping => {
          "message" => "%{icmp.type},%{icmp.id},%{icmp.sequence}"
        }
        remove_field => ["message"]
      }
    }

    if [program] == "filterlog" and [protocol_id] == "6" {
      dissect {
        mapping => {
          "message" => "%{source.port},%{destination.port},%{data_length},%{tcp_flags},%{seq_number},%{ack},%{window},%{urg},%{options}"
        }
        remove_field => ["message"]
      }
    }

    if [program] == "filterlog" and [protocol_id] == "17" {
      dissect {
        mapping => {
          "message" => "%{source.port},%{destination.port},%{data_length}"
        }
        remove_field => ["message"]
      }
    }

    date {
      match => [
        "timestamp",

        "MMM dd HH:mm:ss",
        "MMM  d HH:mm:ss"
      ]
    }
	filter {
	grok {
	match => [
	"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:timestamp} %{PROG:program}: %{GREEDYDATA:message}"
	]
	overwrite => [ "message" ]
	add_tag => [ "pfsense" ]
	}

	syslog_pri {}

	if [program] == "filterlog" {
	dissect {
	mapping => {
	"message" => "%{rule},%{sub_rule},%{anchor},%{tracker},%{interface},%{reason},%{action},%{direction},%{ip_version},%{message}"
	}
	}
	}

	if [program] == "filterlog" and [ip_version] == "4" {
	dissect {
	mapping => {
	"message" => "%{tos},%{ecn},%{ttl},%{id},%{offset},%{flags},%{protocol_id},%{protocol},%{length},%{source.ip},%{destination.ip},%{message}"
	}
	}
	}

	if [program] == "filterlog" and [ip_version] == "6" {
	dissect {
	mapping => {
	"message" => "%{class},%{flow_label},%{hop_limit},%{protocol},%{protocol_id},%{length},%{source.ip},%{destination.ip},%{message}"
	}
	}
	}

	if [program] == "filterlog" and [protocol_id] == "1" {
	dissect {
	mapping => {
	"message" => "%{icmp.type},%{icmp.id},%{icmp.sequence}"
	}
	remove_field => ["message"]
	}
	}

	if [program] == "filterlog" and [protocol_id] == "6" {
	dissect {
	mapping => {
	"message" => "%{source.port},%{destination.port},%{data_length},%{tcp_flags},%{seq_number},%{ack},%{window},%{urg},%{options}"
	}
	remove_field => ["message"]
	}
	}

	if [program] == "filterlog" and [protocol_id] == "17" {
	dissect {
	mapping => {
	"message" => "%{source.port},%{destination.port},%{data_length}"
	}
	remove_field => ["message"]
	}
	}

	date {
	match => [
	"timestamp",

	"MMM dd HH:mm:ss",
	"MMM d HH:mm:ss"
	]
	}