PFBlockerNG Log Parsing for syslog

vito · Aug 29, 2015, 2:56 PM

We are sending pfsense to a syslog server (kiwi)
In Kiwi you can build a filter to parse the log and run rules against the results.
I have been looking for something to scrape to parse pfblockerNG logs (or alerts more so) to send to a different display and different log file.
I was able to do this with Squid and Snort as both adds a tag to the log, but I cannot find something constant for PFBlockerNG.
I will assume I am missing something and I could just be blind. 
Thanks in advance.
Vito

BBcan177 · Aug 29, 2015, 3:17 PM

Hi Vito,

The pfblockerng.log is not easily parsed for a syslog… Its meant to be more informative then a single line log. It also doesn't contain any alert information. That log contains the details about the downloads and summary information.

The best is to use the firewall.log and parse that for the alerts. Unfortunately pfSense doesn't log the table name in the Alert. Not sure if the Devs are going to fix that or not... But that would make the syslog alerts more informative... I log all my logs to Security Onion which uses ELSA. You could also do the same with ELK... A user posted a help link just yesterday:

https://forum.pfsense.org/index.php?PHPSESSID=nmofscd1r7s1vmiuk4m4t1r4a7&topic=98740.0

vito · Aug 29, 2015, 3:39 PM

Thanks!
Yeah, i meant to add i was trying from the firewall.log
:(
I will take a look at the link you provided!

Snort and Squid were pretty straight forward as i captured the word "snort" and "squid" from the message
It would be great if PFBlocker could add a header or something just to the message it self.
(Mainly looking to parse the info from the alerts tab in PFBlockerNG)

BBcan177 · Aug 29, 2015, 4:02 PM

You can view the raw firewall log by the following command:

clog /var/log/filter.log

Here is the wiki pfSense doc for the log format in 2.2.x
https://doc.pfsense.org/index.php/Filter_Log_Format_for_pfSense_2.2

Unfortunately each line doesn't have the table name, but it does reference the packet fence rule number. Those are at the start of the syslog line beginning with the "@" symbol…

This command will show the existing Rule numbers for pfBNG:
pfctl -vv -sr | grep 'pfB'_

Execute the following command to get a list of the pf Rule numbers as a reference… Adding/Deleting rules might change the numbers, so I don't think it stays consistent with changes to the rules... I think in 2.2.4 this has been improved upon but I haven't fully tested it either...

killmasta93 · Sep 3, 2015, 5:40 PM

hey vito for ELK server logs disable first all log capture by default and let pfblockerNG do all the log reporting. Then on Kibana (ELK) you will see the rule it will be filtering for ex: rule 85 is blocking all top IPv4 list while rule 92 is blocking youtube. see pictures
hope this helps im working now on filtering the syslog (system logs for pfsense) but seems hopeless :-[