pfSense#

Integration Details

Ingester

Simple Relay

Kit

pfSense

pfSense Configuration#

Set the Log Message Format to RFC 5424#

  1. Open the web interface for pfSense, and navigate to Status -> System Logs

  2. Click on the Settings tab to view logging options

  3. Ensure that the Log Message Format is set to “syslog (RFC 5424…)”

image

Enable Remote Logging#

  1. Open the web interface for pfSense, navigate to Status -> System Logs, and click on the Settings tab

  2. Scroll down to the Remote Logging Options section

  3. Check the box to enable remote logging

  4. Add the IP address of your Simple Relay ingester in the list of remote logging servers

    • Be sure to match the port chosen for your Simple Relay listener!

  5. Enable the remote syslog contents as you see fit.

    • If you want to use the firewall components in this kit, be sure to check the box for Firewall Events

  6. Click Save

You can read more about remote logging in pfSense® here.

image

Gravwell Configuration#

Gravwell Storage Well Configuration#

Setup the well configuration in your Gravwell indexers.

Sample well config:
Create or edit: /opt/gravwell/etc/gravwell.conf.d/pfsense-well.conf

[Storage-Well "pfsense"]
    Location=/opt/gravwell/storage/pfsense
    Tags=pfsense*

Gravwell Ingester Configuration#

Sample pfSense config:
Create or edit: /opt/gravwell/etc/simple_relay.conf.d/pfsense.conf

[Listener "pfsensesyslogudp"]
Bind-String="udp://0.0.0.0:515" #standard UDP based RFC5424 syslog
Reader-Type=rfc5424
Tag-Name=pfsensesyslog
Assume-Local-Timezone=true