Filebeat needed
-
I want to output my pfSense logs/alerts to Security Onion Elastic Stack (logstash/kibana). How is this done in an efficient manner? I would expect to do it with filebeat. Do I have to compile filebeat from FreeBSD source?
-
Usually you would just use syslog:
https://www.netgate.com/docs/pfsense/monitoring/copying-logs-to-a-remote-host-with-syslog.htmlThere something you can;t do with that? A huge log volume maybe?
Steve
-
stephenw10: Thanks for the response. No syslog is way too large and full of noise plus it takes us too much space on the sensor. ELK (now elastic stack) uses filebeat to normalize alerts and system events into elastic. Works fine on WIndows servers and Linux servers. Why can't I find a filebeat binary or script to compile from source for pfSense? Where are the pfSense users who are exporting alerts/log summary into Elastic Stack?
-
You can probably install filebeat from the FreeBSD repos but it looks like it can't read circular logs anyway:
https://forum.netgate.com/topic/116957/filebeat-and-clog-circular-logging-formatStill not really understood why you cannot send the logs via syslog though. pfSense is the sensor in this case, the logs are already there....
Steve
-
You want the utility sysutils/beats that can be found in the FreeBSD ports repository. Here is a link to some info about the package: https://www.freshports.org/sysutils/beats/. However, as @stephenw10 indicated, the package may have issues ingesting the circular log format of the clog client used in pfSense.
-
Filebeat now can take syslog udp input and transport over tcp tls.
Use this install script i have made and just set pfsense to syslog to 127.0.0.1:9000https://github.com/Noebas/pfsense-filebeat
I can confirm filebeat is not compatible with clog, but running trough syslog works fine for me.
Also the config includes snort and pfblockerng logging
