Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Looking for few pointers getting Suricata on PFSense to talk to my Security Onion box.

    Scheduled Pinned Locked Moved pfSense Packages
    3 Posts 2 Posters 57 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      aaronouthier
      last edited by

      Hello, how would I go about sending my Suricata data into S.O.? I DID open the syslog firewall port in S.O., as per the S.O. web site, and locked it down to only allow the router's IP with a net mask of /32. However, I am kind of lost on the PFSense side.

      a1903fb6-e3f4-4183-b2b8-cde0f01ca0e9-image.png

      1caef900-8286-427d-aa20-2f64c635765c-image.png

      1 Reply Last reply Reply Quote 0
      • A
        aaronouthier
        last edited by

        Forgot a few screenshots, and couldn't edit my original post:

        5d428fc3-6481-45a8-989e-83e44048445b-image.png

        17859b13-b258-4e7f-b50d-c3fb1ec3d55e-image.png

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by bmeeks

          Your pfSense settings appear to be correct, but be aware that syslog on FreeBSD can impose a size limit on each syslog record. I seem to recall it is 480 bytes. It's actually related to the maximum "safe size" of a UDP datagram when the MTU is not known. So, this means that potentially a large chunk of each EVE JSON record will be truncated when sent over syslog.

          You will also need to be sure the Security Onion syslog daemon is configured to accept remote connections (including the port, which is normally 540) and that any firewall running on the Security Onion appliance has an appropriate pass rule enabled for the traffic.

          Better to install a third-party log scraper package and export the text EVE JSON log to your Security Onion box. Unfortunately, there is no natively available pfSense package for that. You will need to carefully cobble something together independently. A Graylog client is popular these days for such a task.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.