ELK for OPNsense

[spetrillo]

Hello all,

I have been reading about PFELK, which combines the Elasticsearch stack for PFsense, so you can visualize the data coming from your PFsense firewall. There are some things that it is compatible with OPNsense, with some tweaks, but so far I have not been able to get it to work with OPNsense. Has anyone gone down the rabbit hole of ELK with OPNsense?

Thanks,
Steve

[mimugmail]

There is a howto for OPNsense too and I heard from some customers they have it running in production

[spetrillo]

There is a howto for OPNsense too and I heard from some customers they have it running in production

Would you happen to have a link to the OPNsense howto?

[mimugmail]

Its on GitHub

https://github.com/pfelk/pfelk/blob/main/install/ubuntu.md

[BeNe]

Because i just saw the post. We integrated the NGINX logs into pfELK last week and created also a dashboard for it.

And of course pfELK works with OPNsense and pfSense.
There are several ways to install pfELK. Through a script for automatic installation, a Docker setup or an Ansible playbook.

Just check the readme --> https://github.com/pfelk/pfelk

[jclendineng]

Can confirm, it works for opnsense. Im not currently using as it takes more resources and time than I as a home user have at the moment, but Ive been following that guide for years as its expanded and gotten better, its a fantastic resource and if you have the cpu/ram to spare in your servers, id highly recommend using it just to learn about ELK.  As a side note, you can dockerize it as well, if that floats your boat.

[beneix]

Reviving this thread instead of starting a new one. I am trying to install pfELK on a machine on my LAN (following the how-to for docker-compose) and have a couple of questions:

1. My machine has modest hardware so I'd like to maximise performance. I thought that it would be a good idea to run pfELK on a single-node setup, so I wanted to modify the docker-compose.yml file accordingly. The only instruction I found on Github was to modify /etc/elasticsearch/elasticsearch.yml, but a) that file does not exist before you start the install and b) I would have thought that docker-compose.yml also needs to be modified. Do I need to change the create certs and environment sections, and if so how? Alternatively, if running three nodes does not consume more resources than a single node, please let me know.

2. Also, I'd like to set up MaxMind, and I'd like to do it on Docker since my machine is running Alpine Linux and I don't think there is a repository for MaxMind available. I have found a Docker container for the purpose, but I am not sure exactly how pfElk speaks to MaxMind so I need some more info to make sure the two can communicate. The pfELK how-to for MaxMind does not mention the required interface with MaxMind so I don't know what the prerequisite is when not installing MaxMind in the standard way.

[jclendineng]

Reviving this thread instead of starting a new one. I am trying to install pfELK on a machine on my LAN (following the how-to for docker-compose) and have a couple of questions:

1. My machine has modest hardware so I'd like to maximise performance. I thought that it would be a good idea to run pfELK on a single-node setup, so I wanted to modify the docker-compose.yml file accordingly. The only instruction I found on Github was to modify /etc/elasticsearch/elasticsearch.yml, but a) that file does not exist before you start the install and b) I would have thought that docker-compose.yml also needs to be modified. Do I need to change the create certs and environment sections, and if so how? Alternatively, if running three nodes does not consume more resources than a single node, please let me know.

2. Also, I'd like to set up MaxMind, and I'd like to do it on Docker since my machine is running Alpine Linux and I don't think there is a repository for MaxMind available. I have found a Docker container for the purpose, but I am not sure exactly how pfElk speaks to MaxMind so I need some more info to make sure the two can communicate. The pfELK how-to for MaxMind does not mention the required interface with MaxMind so I don't know what the prerequisite is when not installing MaxMind in the standard way.

Just use this:

https://github.com/pfelk/pfelk

Note that under 16gb of ram you could crash the entire system.  You need a min 8gb just for ELK, 16 would be better, plus whatever overhead the host system needs.  You don't want to do this if you don't have the resources as it will not be a fun time for you...