Re: [pfSense] Recommendations for Analyzing Firewall logs
Hi Robert, if you are curios I wrote a bachelor thesis about stuctured Logmanagement inkl. logstash, graylog2, ELSA, octopussy, rsyslog, syslog-ng, You can find it at http://it-hure.de/ CU Jens ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Recommendations for Analyzing Firewall logs
This is bugging me too. Jan 14. 5. 2014 v 21:45, Robert Guerra rgue...@privaterra.org: I’m curious what, if any, packages or tools folks on this list might be using to analyze Pfsense firewall logs. My interest is to , if possible, have the firewall logs sent to a Remote Syslog Server running on a raspberry pi on my network and from there have the logs aggregated and presented in a report of some kind. Open to other options, including having the logs sent to a cloud service for visualization. I’m not sure of the options available, and this keen to know how others are doing firewall log analysis. regards Robert ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Recommendations for Analyzing Firewall logs
rsyslog + elasticsearch + kibana On Wed, May 14, 2014 at 8:22 AM, Jan Tichý ja...@me.com wrote: This is bugging me too. Jan 14. 5. 2014 v 21:45, Robert Guerra rgue...@privaterra.org: I’m curious what, if any, packages or tools folks on this list might be using to analyze Pfsense firewall logs. My interest is to , if possible, have the firewall logs sent to a Remote Syslog Server running on a raspberry pi on my network and from there have the logs aggregated and presented in a report of some kind. Open to other options, including having the logs sent to a cloud service for visualization. I’m not sure of the options available, and this keen to know how others are doing firewall log analysis. regards Robert ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Recommendations for Analyzing Firewall logs
Do you have some good grok patterns for indexing pfsense data? I started some a while back for this exact setup but gave up. On Wednesday, May 14, 2014 8:37 AM, RB aoz@gmail.com wrote: rsyslog + elasticsearch + kibana On Wed, May 14, 2014 at 8:22 AM, Jan Tichý ja...@me.com wrote: ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Recommendations for Analyzing Firewall logs
On 5/14/2014 2:16 PM, Travis Hansen wrote: Do you have some good grok patterns for indexing pfsense data? I started some a while back for this exact setup but gave up. Keep an eye on the logs for pfSense 2.2. We ditched the native pflog tcpdump style output and changed to a single line comma-separated log output that should be fairly simple to parse by external utilities. The logs on 2.2 have some issues on amd64 yet, but work on i386 if you're looking to tinker right now. Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Recommendations for Analyzing Firewall logs
On Wed, May 14, 2014 at 12:16 PM, Travis Hansen travisghan...@yahoo.com wrote: Do you have some good grok patterns for indexing pfsense data? I started some a while back for this exact setup but gave up. Unfortunately no, I had to move off of pfSense for non-pfSense reasons and haven't been chasing its data recently. I have, however, been using ES + kibana in the IR world to reasonable success. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Recommendations for Analyzing Firewall logs
Here's one I've been looking at: https://code.google.com/p/enterprise-log-search-and-archive/ On Wed, May 14, 2014 at 6:45 AM, Robert Guerra rgue...@privaterra.org wrote: I’m curious what, if any, packages or tools folks on this list might be using to analyze Pfsense firewall logs. My interest is to , if possible, have the firewall logs sent to a Remote Syslog Server running on a raspberry pi on my network and from there have the logs aggregated and presented in a report of some kind. Open to other options, including having the logs sent to a cloud service for visualization. I’m not sure of the options available, and this keen to know how others are doing firewall log analysis. regards Robert ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Recommendations for Analyzing Firewall logs
I like RB's reference. I will be looking into that as well. Currently im using Manage Engine's firewall analyzer product on some fortigate's at work. Note i haven't checked that out yet against pfsense, i'd prefer an open source solution anyway. On Wed, May 14, 2014 at 8:37 AM, RB aoz@gmail.com wrote: rsyslog + elasticsearch + kibana On Wed, May 14, 2014 at 8:22 AM, Jan Tichý ja...@me.com wrote: This is bugging me too. Jan 14. 5. 2014 v 21:45, Robert Guerra rgue...@privaterra.org: I’m curious what, if any, packages or tools folks on this list might be using to analyze Pfsense firewall logs. My interest is to , if possible, have the firewall logs sent to a Remote Syslog Server running on a raspberry pi on my network and from there have the logs aggregated and presented in a report of some kind. Open to other options, including having the logs sent to a cloud service for visualization. I’m not sure of the options available, and this keen to know how others are doing firewall log analysis. regards Robert ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Recommendations for Analyzing Firewall logs
Yes, the combination of LOGSTASH/ELASTICSEARCH/KIBANA has been a massive improvement for our datacenter. We literally have *everything* (syslog/http/haproxy/vpn/etc/etc) getting dumped into it. Being able to find the proverbial needle in the haystack for the past year with 0 effort has made tracing things down effortless. Even without proper indexing on pfsense logs it's still relatively easy to find what I'm looking for. On Wednesday, May 14, 2014 2:40 PM, RB aoz@gmail.com wrote: Unfortunately no, I had to move off of pfSense for non-pfSense reasons and haven't been chasing its data recently. I have, however, been using ES + kibana in the IR world to reasonable success. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Recommendations for Analyzing Firewall logs
I'm using Graylog2, graylog2.org. Open source, good community. I'm running it mainly for log storage and searching. Definitely worth checking out, it's a great product. --- Original Message --- From: Robert Guerra rgue...@privaterra.org Sent: May 14, 2014 9:46 AM To: pfSense Support and Discussion Mailing List list@lists.pfsense.org Subject: [pfSense] Recommendations for Analyzing Firewall logs I’m curious what, if any, packages or tools folks on this list might be using to analyze Pfsense firewall logs. My interest is to , if possible, have the firewall logs sent to a Remote Syslog Server running on a raspberry pi on my network and from there have the logs aggregated and presented in a report of some kind. Open to other options, including having the logs sent to a cloud service for visualization. I’m not sure of the options available, and this keen to know how others are doing firewall log analysis. regards Robert ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list