Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Filebeat needed

    General pfSense Questions
    4
    6
    1629
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      netfoo last edited by

      I want to output my pfSense logs/alerts to Security Onion Elastic Stack (logstash/kibana). How is this done in an efficient manner? I would expect to do it with filebeat. Do I have to compile filebeat from FreeBSD source?

      1 Reply Last reply Reply Quote 0
      • stephenw10
        stephenw10 Netgate Administrator last edited by

        Usually you would just use syslog:
        https://www.netgate.com/docs/pfsense/monitoring/copying-logs-to-a-remote-host-with-syslog.html

        There something you can;t do with that? A huge log volume maybe?

        Steve

        1 Reply Last reply Reply Quote 0
        • N
          netfoo last edited by

          stephenw10: Thanks for the response. No syslog is way too large and full of noise plus it takes us too much space on the sensor. ELK (now elastic stack) uses filebeat to normalize alerts and system events into elastic. Works fine on WIndows servers and Linux servers. Why can't I find a filebeat binary or script to compile from source for pfSense? Where are the pfSense users who are exporting alerts/log summary into Elastic Stack?

          1 Reply Last reply Reply Quote 0
          • stephenw10
            stephenw10 Netgate Administrator last edited by

            You can probably install filebeat from the FreeBSD repos but it looks like it can't read circular logs anyway:
            https://forum.netgate.com/topic/116957/filebeat-and-clog-circular-logging-format

            Still not really understood why you cannot send the logs via syslog though. pfSense is the sensor in this case, the logs are already there....

            Steve

            1 Reply Last reply Reply Quote 0
            • bmeeks
              bmeeks last edited by bmeeks

              You want the utility sysutils/beats that can be found in the FreeBSD ports repository. Here is a link to some info about the package: https://www.freshports.org/sysutils/beats/. However, as @stephenw10 indicated, the package may have issues ingesting the circular log format of the clog client used in pfSense.

              1 Reply Last reply Reply Quote 0
              • N
                Noebas last edited by Noebas

                Filebeat now can take syslog udp input and transport over tcp tls.
                Use this install script i have made and just set pfsense to syslog to 127.0.0.1:9000

                https://github.com/Noebas/pfsense-filebeat

                I can confirm filebeat is not compatible with clog, but running trough syslog works fine for me.
                Also the config includes snort and pfblockerng logging

                1 Reply Last reply Reply Quote 1

                Products

                • Platform Overview
                • TNSR
                • pfSense
                • Appliances

                Services

                • Training
                • Professional Services

                Support

                • Subscription Plans
                • Contact Support
                • Product Lifecycle
                • Documentation

                News

                • Media Coverage
                • Press
                • Events

                Resources

                • Blog
                • FAQ
                • Find a Partner
                • Resource Library
                • Security Information

                Company

                • About Us
                • Careers
                • Partners
                • Contact Us
                • Legal
                Our Mission

                We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                Subscribe to our Newsletter

                Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                © 2021 Rubicon Communications, LLC | Privacy Policy