andr6 · January 18, 2019 14:04 · Nov 14, 2014
diff --git a/pfsense-logstash.conf b/pfsense-logstash.conf
@@ -0,0 +1,88 @@
+input {
+    tcp {
+        type => syslog
+        port => 514
+    }
+    udp {
+        type => syslog
+        port => 514
+    }
+}
+
+filter {
+    if [host] =~ /10\.0\.50\.1/ {
+	mutate {
+        add_tag => ["PFSense", "Ready"]
+      }
+grok {
+                  add_tag => [ "firewall" ]
+                  match => [ "message", "<(?<evtid>.*)>(?<datetime>(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\s+(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]) (?:2[0123]|[01]?[0-9]):(?:[0-5][0-9]):(?:[0-5][0-9])) (?<prog>.*?): (?<msg>.*)" ]
+              }
+              mutate {
+                  gsub => ["datetime","  "," "]
+              }
+              date {
+                  match => [ "datetime", "MMM dd HH:mm:ss" ]
+              timezone => "Europe/London"
+              }
+              mutate {
+                  replace => [ "message", "%{msg}" ]
+              }
+              mutate {
+                  remove_field => [ "msg", "datetime" ]
+              }
+          }
+          if [prog] =~ /^pf$/ {
+              mutate {
+                  add_tag => [ "packetfilter" ]
+              }
+              multiline {
+                  pattern => "^\s+|^\t\s+"
+                  what => "previous"
+              }
+              mutate {
+                  remove_field => [ "msg", "datetime" ]
+                  remove_tag => [ "multiline" ]
+              }
+              grok {
+                  match => [ "message", "rule (?<rule>.*)\(.*\): (?<action>pass|block) (?<direction>in|out).* on (?<iface>.*): .* proto (?<proto>TCP|UDP|IGMP|ICMP) .*\n\s*(?<src_ip>(\d+\.\d+\.\d+\.\d+))\.?(?<src_port>(\d*)) [<|>] (?<dest_ip>(\d+\.\d+\.\d+\.\d+))\.?(?<dest_port>(\d*)):" ]
+              }
+
+
+
+              if [prog] =~ /^dhcpd$/ {
+              if [message] =~ /^DHCPACK|^DHCPREQUEST|^DHCPOFFER/ {
+                  grok {
+                      match => [ "message", "(?<action>.*) (on|for|to) (?<src_ip>[0-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9]) .*(?<mac_address>[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]).* via (?<iface>.*)" ]
+                  }
+              }
+              if [message] =~ /^DHCPDISCOVER/ {
+                  grok {
+                      match => [ "message", "(?<action>.*) from (?<mac_address>[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]).* via (?<iface>.*)" ]
+                  }
+              }
+              if [message] =~ /^DHCPINFORM/ {
+                  grok {
+                      match => [ "message", "(?<action>.*) from (?<src_ip>.*).* via (?<iface>.*)" ]
+                  }
+              }
+
+          }
+
+
+          }
+          geoip {
+            database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
+            add_tag => [ "GeoIP" ]
+            source => "src_ip"
+            }
+      }
+
+
+
+
+
+output {
+  elasticsearch { host => localhost }
+  stdout { codec => rubydebug }
+}