Create a gist now

Instantly share code, notes, and snippets.

pfSense 2.2 Graylog extractors
{
"extractors": [
{
"condition_type": "regex",
"condition_value": "^filterlog:.*,(in|out),4,.*",
"converters": [],
"cursor_strategy": "copy",
"extractor_config": {
"index": 17,
"split_by": ","
},
"extractor_type": "split_and_index",
"order": 0,
"source_field": "message",
"target_field": "pfsense_filter_proto",
"title": "pfSense - Protocol"
},
{
"condition_type": "regex",
"condition_value": "^filterlog:.*,(in|out),4,.*",
"converters": [],
"cursor_strategy": "copy",
"extractor_config": {
"index": 19,
"split_by": ","
},
"extractor_type": "split_and_index",
"order": 0,
"source_field": "message",
"target_field": "pfsense_filter_sourceip",
"title": "pfSense - Source IP"
},
{
"condition_type": "regex",
"condition_value": "^filterlog:.*,(in|out),4,.*",
"converters": [],
"cursor_strategy": "copy",
"extractor_config": {
"index": 7,
"split_by": ","
},
"extractor_type": "split_and_index",
"order": 0,
"source_field": "message",
"target_field": "pfsense_filter_action",
"title": "pfSense - Action"
},
{
"condition_type": "regex",
"condition_value": "^filterlog:.*,(in|out),4,.*",
"converters": [],
"cursor_strategy": "copy",
"extractor_config": {
"index": 20,
"split_by": ","
},
"extractor_type": "split_and_index",
"order": 0,
"source_field": "message",
"target_field": "pfsense_filter_destip",
"title": "pfSense - Destination IP"
},
{
"condition_type": "regex",
"condition_value": "^filterlog:.*,(in|out),4,.*",
"converters": [],
"cursor_strategy": "copy",
"extractor_config": {
"index": 21,
"split_by": ","
},
"extractor_type": "split_and_index",
"order": 0,
"source_field": "message",
"target_field": "pfsense_filter_sourceport",
"title": "pfSense - Source Port"
},
{
"condition_type": "regex",
"condition_value": "^filterlog:.*,(in|out),4,.*",
"converters": [],
"cursor_strategy": "copy",
"extractor_config": {
"index": 22,
"split_by": ","
},
"extractor_type": "split_and_index",
"order": 0,
"source_field": "message",
"target_field": "pfsense_filter_destport",
"title": "pfSense - Destination Port"
},
{
"condition_type": "regex",
"condition_value": "^filterlog:.*,(in|out),4,.*",
"converters": [],
"cursor_strategy": "copy",
"extractor_config": {
"index": 8,
"split_by": ","
},
"extractor_type": "split_and_index",
"order": 0,
"source_field": "message",
"target_field": "pfsense_filter_direction",
"title": "pfSense - Direction"
},
{
"condition_type": "regex",
"condition_value": "^filterlog:.*,(in|out),4,.*",
"converters": [],
"cursor_strategy": "copy",
"extractor_config": {
"index": 5,
"split_by": ","
},
"extractor_type": "split_and_index",
"order": 0,
"source_field": "message",
"target_field": "pfsense_filter_ingress",
"title": "pfSense - Ingress Interface"
},
{
"condition_type": "regex",
"condition_value": "^filterlog:.*,(in|out),4,.*",
"converters": [],
"cursor_strategy": "copy",
"extractor_config": {
"regex": "^filterlog: ([1-9]+),.*$",
"replacement": "$1",
"replace_all": false
},
"extractor_type": "regex_replace",
"order": 0,
"source_field": "message",
"target_field": "pfsense_filter_rulenum",
"title": "pfSense - Rule Number"
}
],
"version": "1.3.0 (04201bb)"
}
@ecloudbizsolns

Thanks for these. Tested on pfsense community edition v2.3.2 (i386, nanobsd/embedded, non vga) and works apart from one minor item - the source and destination port regexes get tricked by icmp unreachable messages, so I added "(tc|ud)p" to the end of the condition_value for both src and dest port extractors to eliminate these 'false positives' (otherwise the port extracted is the source IP address, which is not what you probably want).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment