export pfBlocker logs incl feed name via syslog.



  • Is it possible to export the LOGS with the FEED name
    Currently I export the pfSens firewall log to ELK stack it would be nice to see what feed is triggered the block

    Thanks in advance


  • Moderator



  • Hi BBcan177

    Thanks for the link, I managed to setup telegraph and export the logs to elasticsearch, one firewall however is beaking the GROK pattern there is a double ,, (coma) in the log file. here is a sample, Look towards the end just before the ASN field. I would expect there must be the interface name vtnet0

    Jun 14 22:07:40,1770010075,vtnet0,WAN,block,4,6,TCP-S,211.54.163.21,10.67.11.107,18959,52869,in,KR,pfB_PRI1_v4,211.54.163.21,CINS_army_v4,Unknown,,| 4766 | KIXS-AS-KR | Korea Telecom |,+
    Jun 14 22:07:40,1770010289,vtnet0,WAN,block,4,6,TCP-S,190.151.94.2,10.67.11.138,45327,25,in,CL,pfB_PRI3_v4,190.151.94.2,BlockListDE_All_v4,Unknown,,| 6471 | ENTEL CHILE S.A. | ENTEL CHILE S.A. |,+
    Jun 14 22:07:40,1770010075,vtnet0,WAN,block,4,6,TCP-S,185.176.27.2,10.67.11.207,47411,53389,in,RU,pfB_PRI1_v4,185.176.26.0/23,ET_Block_v4,Unknown,,| 204428 | SS-Net | SS-Net |,+
    Jun 14 22:07:42,1770010075,vtnet0,WAN,block,4,6,TCP-S,111.252.72.147,10.67.11.105,27223,37215,in,TW,pfB_PRI1_v4,111.252.72.147,CINS_army_v4,111-252-72-147.dynamic-ip.hinet.net,,| 3462 | HINET | Data Communication Business Group |,+
    Jun 14 22:07:42,1770010075,vtnet0,WAN,block,4,6,TCP-S,71.6.233.211,10.67.11.141,2083,2083,in,US,pfB_PRI1_v4,71.6.233.0/24,CINS_army_v4,scanners.labs.rapid7.com,,| 10439 | CARINET | CariNet Inc. |,+
    Jun 14 22:07:43,1770010099,vtnet0,WAN,block,4,6,TCP-S,199.101.124.79,10.67.11.115,16631,37215,in,US,pfB_PRI2_v4,199.101.124.79,Alienvault_v4,199-101-124-79-dynamic.northstate.net,,| 22709 | NSTELCO | North State Telephone Co. |,+

    Thanks


  • Moderator

    @jacol said in export pfBlocker logs incl feed name via syslog.:

    Thanks for the link, I managed to setup telegraph and export the logs to elasticsearch, one firewall however is beaking the GROK pattern there is a double ,, (coma) in the log file. here is a sample, Look towards the end just before the ASN field. I would expect there must be the interface name vtnet0

    Jun 14 22:07:40,1770010075,vtnet0,WAN,block,4,6,TCP-S,211.54.163.21,10.67.11.107,18959,52869,in,KR,pfB_PRI1_v4,211.54.163.21,CINS_army_v4,Unknown,,| 4766 | KIXS-AS-KR | Korea Telecom |,+

    That missing log entry is the "Hostname". If its not found, it should log "Unknown".

    Can you run this test and report back what on the output of the command? It should contain the Hostname for that Local IP:

    Goto pfSense > Diagnostics > Command Prompt > Execute PHP Commands, and paste the following two lines in the box and hit "Execute":

    include_once('/usr/local/pkg/pfblockerng/pfblockerng.inc');
    print_r(pfb_collect_localhosts());
    

    I assume that IP is not listed, so we need to see why it doesn't have a Hostname.

    Alternatively, the GROK pattern could probably see that its an empty field. I haven't had time to play with it, so can't offer much assistance there...



  • Hi BBcan177

    Output below:

    Array
    (
    [126.38.200.66] => <------- this is the WAN interface
    [10.67.11.1] => lan
    [10.67.14.1] => opt1
    [192.168.4.1] => opt2
    [10.2.2.1] => opt3
    [149.232.195.165] => opt4
    [113.150.207.208] => thebeach
    [10.67.11.18] => ts
    [10.67.11.133] => twitter
    [10.67.11.115] => unifi
    [10.67.11.106] => unimed
    [10.67.11.28] => vetmaster <------- this host defined under DNS resolver with Description
    [46.161.73.84] => <------- this host defined under DNS resolver with OUT Description
    [10.67.11.128] =>
    [10.67.11.105] =>
    [10.67.11.118] =>
    [10.67.11.134] =>
    [10.67.11.137:25] =>
    }

    I had a host name defined under DNS resolver, But no REMARK, after I added a remark it seems to work correct.

    many thanks !


Log in to reply