Comments (5)
The match on tcp_flags is on the word boundaries. So it should match all of RA, FA, FPA, etc. The fact that you are seeing RA and FA, to me, seems like it's not an issue on the ELK side but on the pfSense side.
Are you sending all syslog events in pfSense or just a subset? Are you seeing any _grokparsefailure tagged messages in your indices?
from logstash-pfsense.
So, I am sending all of my traffic to logs, and I am not seeing _grokparsefailure tags on any of the traffic in question. I see the data (in the attached file, they are all PA or FPA) in the data message where it is expected to be, it just doesn't get tagged. But I'm with you in wondering if this is something weird in how pfSense is translating the actual data into human-readable format (maybe there's an ascii issue?) since the grok is for a pretty straight-forward word regex. I'll pursue with them as well.
All Clients - Outbound Blocked Traffic (pfSense).txt
Thank you, Patrick. Appreciate your attention!
from logstash-pfsense.
Oh, and because I'm curious, I'm wondering if you're seeing the same thing. If you want to check your own logs, look specifically for blocked outbound TCP traffic on your LAN interface(s).
I'm trying to parse out the causes for outbound traffic being blocked on the firewalls I manage. There are lots of possible reasons and it would be a lot easier if I could weed out based on tcp_flags... but... ;-)
from logstash-pfsense.
The data I have access to right now is from over a year ago. But I do see some documents for FA, RA, FPA, and SA.
I would be curious to see whether you can capture some raw syslog traffic from pfSense? Either by setting up a secondary output in logstash or tcpdump could be an option.
from logstash-pfsense.
Yes, I'm sure I can do that. It might take me a bit, but I'll get it as quickly as I can manage.
from logstash-pfsense.
Related Issues (10)
- PFSENSE_LOG_DATA doesn't match vlan interfaces HOT 1
- Issue with [prog] regex in 11-pfsense.conf HOT 1
- Pattern %{PFSENSE_LOG_DATA} not defined HOT 2
- _grokparsefailure on some lines HOT 4
- Merge with opnsense-logstash-config HOT 1
- Kibana visualizations "Could not locate that index-pattern-field" HOT 5
- license?
- Problem : Cannot create pipeline {:reason=>"Expected one of #, } at line 122, column 22 (byte 2959) after output {\n if [type] == \"syslog\" {\n elasticsearch {\n hosts => 10.1"}
- Filterlog not begining the string for |prog]
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from logstash-pfsense.