Data from pfsense

Question

Data from pfsense

xternaal opened this issue 5 years ago · 1 comments

Hi Rob,
Support for filebeat on BSD usually lags behind the releases. As such there is only a package for 6.7 Filebeat for BSD (which isnt compatible with ES/LS 7.x).
I use suricata on pfSense which has the option to dump json format (i think) into syslog and export via barnyard2. (so syslog input on logstash).

It also has the option to send the eve.json directly to redis.

I was wondering if you had any thoughts on the best way I could get the data to logstash without having the edit the filters too much.

the syslog looks like this when the eve.json dump is turned on

Aug 6 17:33:07 pfsense-hostname suricata[82723]: {"timestamp": "2019-08-06T17:33:07.881056+1000", "flow_id": 790425064649987, "in_iface": "igb0", "event_type": "ssh", "src_ip": "x.x.x.x", "src_port": 40889, "dest_ip": "x.x.x.x", "dest_port": 22, "proto": "TCP", "ssh": {"client": {"proto_version": "2.0", "software_version": "OpenSSH_7.5-hpn14v5"}, "server": {"proto_version": "2.0", "software_version": "OpenSSH_7.5-hpn14v5"}}}

my guess is I need to setup syslog input to strip the all the data before {"timestamp... and then add the filebeat - event.type: suricata. then it should be able to just use the same filter?

Cheers

Answer 1 · 2019-12-16T17:18:13.000Z

Hi xternaal,
I use the filebeat package for freebsd (actual version is 6.8.5). Installed with an install script from Noebas on my pfsense device.
And it works together with synesis lite installation (docker installation of elk stack with version 7.5.0).
My filebeat configuration is:
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/suricata/*/eve.json*
fields:
event.type: suricata