![]() I've attached the modified syslog pipeline module that parses pfSense logs using grok. I was able to modify the standard syslog pipeline and add specifics for the individual pfSense processes, so now my logs look just like what Logstash was showing. This is normally where Logstash would come into play, but luckily Filebeat supports grok processors in pipelines. But even with Filebeat's system module, I wanted more information from the logs than just the normal syslog message. So I installed the syslog-ng module and configured pfSense to deliver syslogs locally to syslog-ng, which is then dumping them to file so that Filebeat can pick them up. It seems that the normal syslog formats things REALLY weird, and I couldn't get them ingested properly. There were a few guides that got me most of the way there, but this was a lot trickier than it seems, since the latest version of beats (7.6.1) is not being actively maintained for BSD. There were a few really tricky pieces to this:Ĭompiling beats natively on FreeBSD. ![]() Softflowd is also running on pfSense, but it's shipping the IPFIX data directly to a Filebeat running on my monitoring node, where it's processed with the netflow module. Both beats deliver results directly to Elasticsearch without requiring the additional overhead of Logstash. I'm also running Packetbeat to collect metrics. On pfSense, I am running Filebeat with the system module to collect syslog data (filterlog, dhcpd, unbound, openvpn) and the suricata module to collect Suricata EVE logs. I just wrapped up my configuration here (for now). A colleague of mine told me about Filebeat about a week ago and how it was a much more lightweight approach than Logstash, so I started to dig in. I'm relatively new to Elasticstack, so this guide using Logstash was great to help me get started.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |