Sending pfSense logs to Splunk
-
Any good resources for installing the Splunk Forwarder into pfSense? First time doing any of this.
-
@kbohlken Being honest up front, I've never used Splunk as an administrator (I am a user, sifting through data collected, but not had to handle the setup side of it), but I thought it had the ability to listen as a syslog server. If that's the case, then you could add your Splunk server in the Remote Logging settings for pfSense (Status > System Logs > Settings).
If Splunk doesn't do it itself, there appears to be a piece called Splunk Connect for syslog that does do it... or maybe does it better than Splunk's built-in syslog functionality.
-
I haven't installed Splunk Forwarder on pfSense itself. But, I'll throw out what I did to get pfSense logs into Splunk.
I have two syslog-ng servers setup that I can forward my pfSense logs to via syslog. I then have the Universal Splunk Forwarder setup on the two syslog servers to forward the logs into Splunk. I only use one of the syslog servers at a time, the other one is a backup in case I take the main syslog server down for maintenance. Both syslog-ng servers run on Ubuntu server in virtual machines. I set it up this way so that I don't have to always have my Splunk server running, I just need to have one of the syslog-ng servers running collecting the logs, which uses less system resources on the VM's host system.
I used this guide and modified it for my use case:
https://www.nuharborsecurity.com/splunk-data-onboarding-success-with-syslog-ng-and-splunk-part-2
