/itsi-pfsense

Atlas ITSI Content Pack for Pfsense

Apache License 2.0Apache-2.0

Summary

The ITSI Content Pack for pfSense from Kinney Group is specifically designed to monitor and manage the security, performance, and log data of pfSense networks. It leverages Splunk ITSI to provide in-depth analysis and visualization of logs for pfSense, ensuring critical systems are operating optimally. This content pack is an essential tool for IT professionals looking to enhance the reliability and security of their network infrastructure.

  • Comprehensive Network Security: Monitors and manages the security aspects of the network, including intrusion detection and firewall activities.
  • Detailed Traffic Analysis: Analyzes network traffic to identify patterns, bandwidth usage, and potential anomalies.
  • Efficient Log Management: Collects, parses, and stores logs from various network devices and applications for analysis and troubleshooting.

This ITSI Content Pack is open source and available for community collaboration and enhancement on GitHub.

For more information about Kinney Group's Splunk Products, visit our website.

Details

The ITSI Content Pack for pfSense contains service definitions and KPIs ready to import to ITSI. The KPI Thresholds and importance values are set to defaults so that they can be tuned manually for your use case. After configuration, this content pack provides a comprehensive monitoring solution for pfSense networks.

Kinney Group ITSI Content Pack Blog

For more information about Kinney Group's Splunk Products, visit our website.

Services

pfSense monitoring encompasses several specialized services, each targeting specific aspects of network performance and security:

  1. Network Security
    • Description: Monitors and manages the security aspects of the network, including intrusion detection and firewall activities.
    • Source: Trenches of IT
  2. Intrusion Detection
    • Description: Monitors network traffic for suspicious activities and potential threats using tools like Snort.
    • Source: Trenches of IT
  3. Firewall Management
    • Description: Manages firewall rules and logs to control network traffic and prevent unauthorized access.
    • Source: Trenches of IT
  4. Traffic Analysis
    • Description: Analyzes network traffic to identify patterns, bandwidth usage, and potential anomalies.
    • Source: Splunk Documentation
  5. Log Management
    • Description: Collects, parses, and stores logs from various network devices and applications for analysis and troubleshooting.
    • Source: Trenches of IT
  6. Bandwidth Monitoring
    • Description: Monitors the usage of network bandwidth to identify high-usage IPs and potential network congestion.
    • Source: Trenches of IT
  7. Log Parsing
    • Description: Ensures that logs are properly parsed and fields are extracted for accurate querying and analysis.
    • Source: Trenches of IT

KPIs

Each service utilizes specific KPIs to measure its effectiveness:

  1. Total Data Sent and Received
    • Description: Monitor the total bytes from source and destination IPs.
    • Source: Trenches of IT
  2. Snort Alerts
    • Description: Monitor for Snort alerts indicating potential security threats.
    • Source: Trenches of IT
  3. Firewall Logs
    • Description: Ensure all logs from pfSense are being sent to Splunk.
    • Source: Trenches of IT
  4. Failed Login Attempts
    • Description: Track the number of failed login attempts to identify potential security threats.
    • Source: Splunk Documentation
  5. Unusual Login Locations
    • Description: Monitor logins from unusual or unexpected geographic locations.
    • Source: Splunk Documentation
  6. Denied Connections
  7. Allowed Connections
    • Description: Monitor traffic that is allowed based on firewall rules.
    • Source: Splunk Documentation
  8. Bandwidth Usage
    • Description: Identify which IPs are using the most bandwidth.
    • Source: Trenches of IT
  9. Traffic Flow
    • Description: Monitor the flow of data across network infrastructure components.
    • Source: Splunk Documentation
  10. Anomalies and Suspicious Traffic
    • Description: Use raw Snort alarms to investigate suspicious traffic.
    • Source: Trenches of IT
  11. Log Parsing and Field Extraction
    • Description: Ensure logs are properly parsed and fields are extracted for accurate querying.
    • Source: Trenches of IT
  12. Event Details
    • Description: Monitor specific event details for deeper insights.
    • Source: Trenches of IT
  13. Error Logs and Alerts
    • Description: Regularly review error logs and set up alerts for critical issues.
    • Source: GitHub
  14. Network Throughput
    • Description: Monitor the usage of network bandwidth to identify high-usage IPs and potential network congestion.
    • Source: GitHub
  15. Data Integrity and Completeness
    • Description: Ensure all expected data is being ingested without loss.
    • Source: GitHub

Relationships

Dependencies:

Services are interconnected; for instance, Network Security is dependent on Intrusion Detection and Firewall Management. Similarly, Traffic Analysis relies on Bandwidth Monitoring to identify high-usage IPs and potential network congestion.

Hierarchical Structure:

Some services form a hierarchy, such as Network Security depending on Intrusion Detection and Firewall Management, illustrating a layered approach to performance monitoring where base metrics support broader performance indicators.

Installation

Installation prerequisites:

Splunk Addon for pfSense

Splunk App for Content Packs

Splunk ITSI

Troubleshooting

Kinney Group ITSI Content Pack Blog

Github and Readme

support@kinneygroup.com

Contact

To provide feedback, visit our Github and Readme for our content packs.

support@kinneygroup.com

For more information about Kinney Group's Splunk Products, visit our website.

Version History

Version Date Description
0.0.1 05/23/24 Initial Preview Release

Considerations:

Kinney Group ITSI Content Pack Blog