jemacom/pfsense.conf

## pfsense.conf
input {
  syslog {
    type => "pfsense"
  }
}

filter {
  if [type] == "pfsense" {
    grok {
	patterns_dir => "/opt/logstash/patterns"
      match => [
        "message", "%{PFSENSE}" ]
    }

    if [prog] == "filterlog" {
       grok {
	patterns_dir => "/opt/logstash/patterns"
         match => [ "msg", "%{LOG_DATA}%{IP_SPECIFIC_DATA}%{IP_DATA}%{PROTOCOL_DATA}" ]
       }
       if [src_ip] {
         geoip {
           source => "src_ip"
           target => "geoip"
           add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
           add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
         }
         mutate {
           convert => [ "[geoip][coordinates]", "float" ]
           remove_tag => [ "_grokparsefailure" ]
         }
       }
    }
  }
}


output {
	stdout { codec => dots }
	elasticsearch {
		protocol => "http"
		host => "elkserver"
		cluster => "mycluster"
		index => "pfsense-logs"
	}

}
	input {
	syslog {
	type => "pfsense"
	}
	}

	filter {
	if [type] == "pfsense" {
	grok {
	patterns_dir => "/opt/logstash/patterns"
	match => [
	"message", "%{PFSENSE}" ]
	}

	if [prog] == "filterlog" {
	grok {
	patterns_dir => "/opt/logstash/patterns"
	match => [ "msg", "%{LOG_DATA}%{IP_SPECIFIC_DATA}%{IP_DATA}%{PROTOCOL_DATA}" ]
	}
	if [src_ip] {
	geoip {
	source => "src_ip"
	target => "geoip"
	add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
	add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
	}
	mutate {
	convert => [ "[geoip][coordinates]", "float" ]
	remove_tag => [ "_grokparsefailure" ]
	}
	}
	}
	}
	}


	output {
	stdout { codec => dots }
	elasticsearch {
	protocol => "http"
	host => "elkserver"
	cluster => "mycluster"
	index => "pfsense-logs"
	}

	}