OPNSense with Elastic pfSense integration Date format

Started by ealbright, July 06, 2022, 04:55:15 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 06, 2022, 04:55:15 PM
I have recently moved from an on-premise Elastic SIEM to a cloud based solution.  When I was running the on-premise stack, I used an integration from github https://github.com/pfelk/pfelk.  I had no issues with the integration.  On the cloud version of Elastic, there is a integration based on the github project called pfsense logs.  The integration has OPNSense listed as being supported but I'm running into an issue where the date in the filter log is in a different format than what is expected.

My firewall output is this:

<134>1 2022-06-09T14:44:11-06:00 firewall.opnsense.net filterlog 76404 - [meta sequenceId="1"] 124,,,fae559338f65e11c53669fc3642c93c2,ixl1_vlan70,match,pass,out,4,0x0,,63,5687,0,DF,6,tcp,60,192.168.100.99,10.62.0.75,40370,80,0,S,3364871769,,65535,,mss;sackOK;TS;nop;wscale

The expected is:

<134>Jan 1 02:21:38 firewall.opnsense.net filterlog[97530]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,12617,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49724,853,0,S,1891286705,,64240,,mss;sackOK;TS;nop;wscale

I have tried switching the logging to the RFC5424 and I saw no change in the log output.  I did make sure to restart the syslogng service after saving and applying the config change.

Is there a way to change the date format in the filter log?

Thanks!
July 08, 2022, 06:33:20 PM #1
The logging you have IS RFC5424.  The logging you're looking for is RFC3164 which was the old default.  I have a feeling based on the changelog that RFC5424 is now the default, and that checkbox probably needs to switch to RFC3164 as an option.

@franco
July 11, 2022, 09:02:01 AM #2
I can't shake the feeling that a syslog aggregator should be able to parse different date formats?


Cheers,
Franco
July 11, 2022, 04:51:28 PM #3
Agreed, and it looks like there is an option to accept 5424 in pfelk.  That being said, is there some reason that having 3164 as optional is a problem?

And whether or not 3164 is added back in as optional, I would assume still having the 5424 option as a checkbox is a bug, no?  If 5424 is the default, the checkbox to enable it does nothing at this point.
Print
Go Up Pages1
User actions