Pfsense + Ossim
-
see my attachement! patch fail ! it didn't work :(
-
Thanks BBcan ,
can you explain to me more !
the idea is that log of Pfsense will be send to OSSIM . Si i should upload a patch ! after in (Status..>System log ) i enbale to log to a server and i put the ip of Ossim !
is it true what i say ? and what about rules ? and where should i place OSSIm in a lan Pfsense interface or in wan interface ?Hi, henze,
First you need to install the package "Patches" [ [b]System:Packages:Available Packages "System Patches" ]
In the System:Patches menu, select "+" and add a new patch
If you're on 2.1.x, add this patch:
http://files.pfsense.org/jimp/patches/pf-log-oneline-option-2.1.1.diffOnce you have entered the patch details, you need to "Fetch" and than "Apply"
(HELP LINK) https://doc.pfsense.org/index.php/System_Patches
In [ [b]Status:System Logs:Settings ], you will see "Enable Remote Logging" Put a check.
Remote Syslog Servers, enter the LAN ip address of the OSSIM machine.
Select which logs you want to send to Ossim (Contents settings)
Make sure that Ossim has UFW open to receive the Syslogs on port 514 UDP.
[ [b]sudo ufw status ] in OSSIM
You can change the default port by changing the pfSense "Remote Syslog Servers" Lan address to be
x.x.x.x:PORT
-
thanks for ur explication !
but i had Pfsense 2.1.2 so this didn"t work ! did u have another to give it to me ? -
thanks for ur explication !
but i had Pfsense 2.1.2 so this didn"t work ! did u have another to give it to me ?I don't know if there is another patch available for 2.1.3, I use the 2.1.1 on 2.1.3 and it works.
You might have to reboot the box? Or if it doesn't work after a reboot, try removing the patch, reboot and than add the patch again.
-
The patch is not particularly extensive, only two files and small changes. You can probably apply it manually in 2.1.3.
Steve
-
You could also try this command in an OSSIM shell to see if you are receiving the syslogs from pfSense.
** [ sudo tcpdump -nnvvAi eth0 -s0 | grep xx.xx.xx.xx ]**
change the xx.xx.xx.xx to your pfSense LAN address. And change the eth0 to your OSSIMs listening interface.
-
has anyone got pfsense to parse logs to OSSIM on the most recent version ?
-
i tweeted pfsense and alienvault about this, they said its great idea, but someone needs to make a pfsense side plugin to make it work.
So i started making a regex to import that data into OSSIM but i failed, doesnt work as i cant get ther egex correct.
Maybe someone else can have a crack, but if we can get the two systems to work together it would be so great
-
wifiuk I would rather use ELK see the link on my tutorials
-
It should be easier in 2.2.X because the log format has changed. It's now single line: https://doc.pfsense.org/index.php/Filter_Log_Format_for_pfSense_2.2
Steve
-
Alienvault has now release a pfsense plugin.
Check out https://github.com/decay/alienvault-pfsense
