@aaronouthier said in Looking for few pointers getting Suricata on PFSense to talk to my Security Onion box.:

Ok, so I've been researching the topic. It seems SO has an integration for PFSense. However, the FreeBSD implementation of Syslog is not optimal for this purpose, as mentioned above.

Although I am comfortable with CLI Linux, I am effectively a Newbie with regard to BSDs.

My next question is: What would be the least invasive method as far as the PFSense Box to export just the Suricata logs? I believe I saw an option to log to a Unix Socket. Would that be helpful coupled with something like Netcat? I'm not necessarily looking for help with such a feat, just wondering if such would likely be fruitful, or am I just chasing the infamous wild goose?

I recommend exporting the EVE JSON log as that will be the most comprehensive. To export to a UNIX socket, change the EVE OUTPUT TYPE setting to UNIX socket. You will need to manually create the socket and give it a name. It will be up to you then to "receive" the socket data stream and redirect it elsewhere (seems you want it remote for your case to Security Onion).

@cdal

This could be a great security improvement ... It's the only way to do MFA with "LDAP/AD" backend for exemple (using oauth 2 proxy for exemple)

@rocket

Updated July 20-2025

pfsense 24.11 - Telegraf freebsd-15

pkg add -f https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/telegraf-1.35.1.pkg

pfsense 2.7.2 - Telegraf freebsd-14

pkg add -f https://pkg.freebsd.org/FreeBSD:14:amd64/latest/All/telegraf-1.35.1_1.pkg

https://www.freshports.org/net-mgmt/telegraf/#history

@ameinild Yes, I just confirmed at home that it is still working. I had some icon error right after install, but this seems to be fixed now. 👍

@Zermus said in crowdsec:

It's a shame Elastic took their stuff in house and ELK stacks are no longer free. Tom Lawrence's (https://www.youtube.com/@LAWRENCESYSTEMS) videos convinced me that I should go over to Graylog Open on my personal stuff when that happened and I'm happy with it.

I always viewed ELK as overly complicated. Graylog is much more manageable, although the console isn't as nice. Work in progress.

@MrWhatZitTooya666 said in Installing sudo or nano issues?:

"pkg+https://pkg.pfsense.org/pfSense_v2_8_0_amd64-core",
"pkg+https://pkg.pfsense.org/pfSense_v2_8_0_amd64-pfSense_v2_8_0",

looks good.

Try Forced pkg Reinstall

https://docs.netgate.com/pfsense/en/latest/troubleshooting/upgrades.html

To forcefully reinstall all packages, take the following steps:

Review the list of changes and enter y to proceed

Manually reboot the firewall

Recently (May-Jun 2025) Grafana received a HUGE update (even possible to saying “reworked from scratch” because some fundamental changes made): from more closely integration with GitLab CVS and making the database abstraction layer to tabs, custom and dynamic dashboards and interactive elements.
After some time of stagnation, “new Grafana” start to receive a real most asked and usable updates. Just look at this!

With this new updates Your Grafana’s dashboard for pfSense receive a REALLY USEFUL FORM !

P.S.
And personally I need to note that pfSense Dashboard lost their actuality because in Grafana You may receive more usable, dive-in-detailed, much more detailed and granulated, interactive view and (in some cases, more important than view) strongly secured user authentication scheme.

@dennypage nice! I think the running 3 instances and filtering vlans on 0 (untagged traffic) would eliminate any sort of bogon because the source IP range is different than the actual network being seen on.

@gm2005fl that's great news, and very useful information for those of us (i.e me!) not realising there are different versions InfluxDB :)

@Gertjan said in HA proxy with ssl:

not mail.contose.com.

@Gertjan I have 2 isp and mail.contose points to those ip addresses and MX. I am using a linux mail server. I have a DV cert installed on each server. for my web server I have added the following:

f12dc686-bf5e-4470-893e-fe8317269460-image.png

6940d697-2a2b-4945-b93b-535c91cf9676-image.png

and the default backend for that rule is httpswww-copy

@jimp

Hi,

as far as I know the lcd driver (LCDd) is connected to the display via USB/Serial/Parallel but the lcdproc process is connected to the driver in this way:

Extract from pfctl -ss:

So there could be a possibility to loose connection when states get killed ... IMHO (If I'm wrong please correct)

EDIT: I cleared all states and this made the lcdproc also to loose connection flooding the syslog. After restarting lcdproc all fine again.

Regards,
fireodo

@heavymetalforever78 pfsense can for sure run on 1gb of ram - and other VMs could run on far less.. I have both a 2.8 vm and a 24.03 vm running on my nas, they only get 1GB each, etc.

Don't try running some type 2 VM, run something like esxi or proxmox or something on the hardware..

To be honest if your goal is a NVR - get an actual NVR.. They use very little power, and are not all that expensive. I see some on amazon for like 60 bucks.. You would have to add some HDD.. but how much can a 2 or 4TB disk cost these days?

Trying to use your "firewall" as your everything box is never a good idea.