Send Suricata alerts to pfsense firewall log option
Hi I’ve been running Suricata for a long time & now I’m experimenting with ELK (Elasticsearch,Logstash & Kibana) I’ve found that the configurations for getting this working vary widely everyone does things different one idea I’m trying is to use the pfsense ‘Send log messages to a remote syslog server’ rather than Banyard2.
I managed to get my Suricata alerts to writing logs to the Pfsense system log’s but I can’t get them to appear in the Firewall log is it possible what combo of settings would get this done?
@jasonau Kinda upset that no1 has chimed in on this. I've been wondering the same thing for a very long time. Why is this not a thing?
bmeeks last edited by
You can try adjusting the syslog facility on the INTERFACE SETTINGS tab. But you may still find
syslogtruncating long messages, as it has an internal limit on line length.
The system log and firewall log are really the same, but filtering is done by the pfSense code to send different messages to different log files. Have a look in
/var/etc/syslog.dat the configuration file there.
Using something like ELK ingesting the EVE JSON logs is a better solution. In most cybersecurity configurations, you don't want to keep logs on the firewall anyway, at least not the longer term ones. They are usually sent over to a third-party system optimized for logging and data reporting.
@jasonau as bmeeks says, the eve json log lines are usually too long for the default freebsd syslog (because of its adherence to RFC5424). That restriction cannot be changed without recompiling.
You can instead write the eve logs to file, and forward that to your logstash instance using syslog-ng (pfsense package). In suricata settings, set log eve json to file.
For the elastic side, you might be interested in the pfelk project which includes a logstash pipeline configuration and templates for suricata.