vRealize Log Insight Content Pack for PFSense Firewall Logs

A key piece of my homelab is a PFSense VM that I use for routing and firewall separation between my home network and the components nested snuggly in my HP Z800 Workstation. PFSense supports sending Syslog messages for one, many or all of the services it hosts so it was a simple matter of configuring a Syslog server in PFSense and watching the logs roll into vRealize Log Insight.

However, something I noticed was that vRealize Log Insight doesn’t have a content pack for PFSense. Not a problem, as vRealize Log Insight makes it incredibly easy to extract fields from the messages and turn them into powerful structured data. So, that’s what I did. At least, for the firewall messages that PFSense was sending. All up it took about 30 minutes to create the handful of extracted fields, and another few minutes to create some widgets for a dashboard.

Netgate provides great docs on PFSense. I was able to use them to identify the fields within the log message by reading the Raw Filter Log Format page.

Caveats

As I’m only running IPv4 in my network, I’ve only accounted for that traffic. My body (and homelab) isn’t ready for IPv6 yet so I’ve left it for the time being.

Contributions / Requests

If you have any requests for additional fields or widgets let me know in the comments on my blog: https://www.funkycloudmedina.com/2020/05/vrealize-log-insight-content-pack-for-pfsense-firewall-logs/. I’d be more than happy to give it a crack in the homelab. If there’s something you’d like to contribute, post up your field and regex in the comments and I’ll include it in the content pack (with attribution of course).

More information and screenshots can be found here: https://www.funkycloudmedina.com/2020/05/vrealize-log-insight-content-pack-for-pfsense-firewall-logs/


Sign in to be able to add comments.

Comments 0