Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense Syslog to Microsoft Operations Management Suite (OMS)

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 3 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      brandur
      last edited by

      Hi
      This is a bit over my head, so I thought I'd try asking here :)
      I was reading and afterwards watched a demo of the "Microsoft Operations Management Suite" and was quite intrigued by it(even tho it's still WIP).

      Has anyone tried to collect pfSense syslog data to OMS?
      If so, how did you go about setting it up?
      I would love to try it out.

      I did find something about it. But as I stated earlier, I really don't know where to start or even if it's possible.
      https://blogs.technet.microsoft.com/msoms/2016/05/12/syslog-collection-in-operations-management-suite/
      https://msandbu.wordpress.com/2016/02/22/monitoring-syslog-from-oms-with-non-oms-agents/

      It's free to try/use (Free limitations are, as I can see: 500MB per day and a retention period of 7 days).
      https://azure.microsoft.com/en-us/pricing/details/log-analytics/

      Any input is welcome  ;D

      SG-4860 w/128GB SSD & 8GB RAM

      1 Reply Last reply Reply Quote 0
      • T
        TheUniquePaulSmith
        last edited by

        I realize this is an old post, but I recently had the same idea and wanted to share my experience for others. I was able to come up with 2 solutions.

        Option 1: Deploy a linux based syslog server, install the Linux OMS agent, and forward the events from pfSense to the linux server which in turn will send to Azure OMS.
        This worked pretty well, except the filterlog is CSV encoded when sent to Azure OMS. There is a Custom Column feature in preview that can extrapolate it into discrete fields, but was buggy and didn't work when I tried it.

        Option 2: Re-parse and send the data from pfsense Syslog to Azure OMS using the Azure Data Collector Rest API
        This was my preference and I ended up creating a .NET Solution with multiple projects for specific tasks:

        1. pfSense filter log reparser - Deserializes the CSV message in the filterlog (https://doc.pfsense.org/index.php/Filter_Log_Format_for_pfSense_2.2)
        2. SysLog Receiver - Syslog UDP client, that deserializes SysLog Events (https://www.ietf.org/rfc/rfc3164.txt)
        3. Azure Uploader - Uploads messages into Azure using Rest API

        With these 3 projects I was able to send formatted filterlog messages into Azure OMS, my future plan is to also send Snort/Suricata data so I can report off them in PowerBI.
        I'll post the solution in GitHub for others that are interested.

        Below is an example of the data in PowerBI:

        J 1 Reply Last reply Reply Quote 0
        • J
          juniorlx_ti @TheUniquePaulSmith
          last edited by

          @terminalhit
          Hy,
          Were you able to perform this configuration between PfSense + Syslog + OMS Azure + PowerBI?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.