OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 22.1 Legacy Series »
  • OPNSense with Elastic pfSense integration Date format
« previous next »
  • Print
Pages: [1]

Author Topic: OPNSense with Elastic pfSense integration Date format  (Read 1968 times)

ealbright

  • Newbie
  • *
  • Posts: 3
  • Karma: 0
    • View Profile
OPNSense with Elastic pfSense integration Date format
« on: July 06, 2022, 04:55:15 pm »
I have recently moved from an on-premise Elastic SIEM to a cloud based solution.  When I was running the on-premise stack, I used an integration from github https://github.com/pfelk/pfelk.  I had no issues with the integration.  On the cloud version of Elastic, there is a integration based on the github project called pfsense logs.  The integration has OPNSense listed as being supported but I'm running into an issue where the date in the filter log is in a different format than what is expected.

My firewall output is this:

<134>1 2022-06-09T14:44:11-06:00 firewall.opnsense.net filterlog 76404 - [meta sequenceId="1"] 124,,,fae559338f65e11c53669fc3642c93c2,ixl1_vlan70,match,pass,out,4,0x0,,63,5687,0,DF,6,tcp,60,192.168.100.99,10.62.0.75,40370,80,0,S,3364871769,,65535,,mss;sackOK;TS;nop;wscale

The expected is:

<134>Jan 1 02:21:38 firewall.opnsense.net filterlog[97530]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,12617,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49724,853,0,S,1891286705,,64240,,mss;sackOK;TS;nop;wscale

I have tried switching the logging to the RFC5424 and I saw no change in the log output.  I did make sure to restart the syslogng service after saving and applying the config change.

Is there a way to change the date format in the filter log?

Thanks!
Logged

SFC

  • Newbie
  • *
  • Posts: 30
  • Karma: 3
    • View Profile
Re: OPNSense with Elastic pfSense integration Date format
« Reply #1 on: July 08, 2022, 06:33:20 pm »
The logging you have IS RFC5424.  The logging you're looking for is RFC3164 which was the old default.  I have a feeling based on the changelog that RFC5424 is now the default, and that checkbox probably needs to switch to RFC3164 as an option.

@franco
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 17661
  • Karma: 1611
    • View Profile
Re: OPNSense with Elastic pfSense integration Date format
« Reply #2 on: July 11, 2022, 09:02:01 am »
I can't shake the feeling that a syslog aggregator should be able to parse different date formats?


Cheers,
Franco
Logged

SFC

  • Newbie
  • *
  • Posts: 30
  • Karma: 3
    • View Profile
Re: OPNSense with Elastic pfSense integration Date format
« Reply #3 on: July 11, 2022, 04:51:28 pm »
Agreed, and it looks like there is an option to accept 5424 in pfelk.  That being said, is there some reason that having 3164 as optional is a problem?

And whether or not 3164 is added back in as optional, I would assume still having the 5424 option as a checkbox is a bug, no?  If 5424 is the default, the checkbox to enable it does nothing at this point.
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 22.1 Legacy Series »
  • OPNSense with Elastic pfSense integration Date format
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2