OPNsense and Graylog

[Sugarfly]

Hello.

I feel stupid.
My OPNsense is up and running.
I setup a graylog server because I found it hard to work with the logginginterface from the OPNsense. (maybe that is my real problem)
So now my greylog server is getting the logs from the OPNsene but it is impossible to work with that input.

For example my graylog get this input en mass:

2017-03-14 10:19:12.000   filterlog:
filterlog: 57,16777216,,0,em0,match,pass,out,4,0x0,,63,35571,0,DF,17,udp,74, {MY IP} ,8.8.8.8,30480,53,54

but I can't search or filter because this is a single line of data.

Is there anything wrong with the OPNsense sending the data?
Does anyone know wich field is what information?

[fabian]

There is nothing wrong with the log line. There is only one issue in your setup: You are collecting the logs but you are not processing it. As a hint: There is a software called Logstash which can manipulate logging data (for example add field information) and put it into another output like an elastic search server which can be queried by kibana.
Another hint: If you read the Line from left to right, you will find out, that the left are system information and then it will be the data from layer 1 to layer 4. Note that the lines look different in case of IPv6.

[Nnyan]

Soon as I have some time I want to spin up a VM and install an ELK (Elasticsearch, Logstash, and Kibana) Stack on it.  I don't know the differences between greylog and Kibana so I don't know which one would better suit your needs. I was planning on using the Bitnami ELK stack since they have an OVA.

[xiaotuzi]

Did you get the Elk stack up and running ?

[MasterXBKC]

Just throwing this out there, I developed PFMonitor for just this very reason, it not only captures the data, but indexes it, makes it searchable, and cross-reference able.

https://pfmonitor.com