Table Of Contents
How to Send PfSense Logs to Splunk Enterprise (Windows and Linux Server Setup)
PfSense is a popular open-source firewall and router solution that provides a valuable set of features for network monitoring and management. One of the most important aspects of any firewall is its ability to generate logs for tracking network traffic, security events, and system performance. These logs can be critical for troubleshooting, auditing, and security analysis. Splunk Enterprise, on the other hand, is a powerful tool for searching, monitoring, and analyzing machine-generated data via a web-based interface. By sending pfSense logs to Splunk, you can centralize log collection, analyze traffic patterns, and create useful reports and alerts for your network. In this post, I will walk you through the process of sending PfSense logs to Splunk Enterprise running on both Windows and Linux servers.
Why Send pfSense Logs to Splunk?
Before we start the process of sending Pfsense logs to Splunk, let’s briefly discuss why you might want to send your pfSense logs to Splunk:
- Alerting: Set up alerts to notify you of suspicious activity or critical events based on the pfSense logs.
- Centralized Logging: Splunk can aggregate logs from multiple devices and applications, providing a single place to view and analyze logs from your pfSense firewall.
- Real-time Analysis: You can monitor logs in real-time for potential security incidents or performance issues.
- Advanced Searching and Visualization: Splunk provides powerful querying capabilities and the ability to create customized dashboards to visualize network traffic and security data.
Create Index and Input configuration files to receive PfSense logs on the Windows Splunk Enterprise Server
Step 1 Create an index configuration file
On your Windows Splunk Server, navigate to C:\Program Files\Splunk\etc\system\local. You can copy and paste the path below into your File Explorer. Create a file and name it index.
C:\Program Files\Splunk\etc\system\localOpen the newly created index file, copy and paste the command below, then save.
[fw]
homePath = $SPLUNK_DB/fwdb/db
coldPath = $SPLUNK_DB/fwdb/colddb
thawedPath = $SPLUNK_DB/fwdb/thaweddb
Step 2 Create an input configuration file
On your Windows Splunk Server, navigate to C:\Program Files\Splunk\etc\system\local. You can copy and paste the path below into your File Explorer. Create a file and name it inputs.
Open the newly created inputs file, copy and paste the command below, then save.
[udp://:7001]
index=fw
sourcetype=pfsenseYou should have something similar to the screenshot below.
Create Index and Input configuration files to receive PfSense logs on the Linux Splunk Enterprise Server
Change your working directory using the cd command. you can copy the command below.
cd /opt/splunk/etc/system/local
Create index.conf file.
sudo nano index.conf
Copy and paste the data below and save your file using Ctrl + O to save the file and Ctrl + X to exit.
[fw]
homePath = $SPLUNK_DB/fwdb/db
coldPath = $SPLUNK_DB/fwdb/colddb
thawedPath = $SPLUNK_DB/fwdb/thaweddb
Create inputs.conf file.
sudo nano inputs.conf fileCopy and paste the data below and save your file using Ctrl + O to save the file and Ctrl + X to exit.
[udp://:7001]
index=fw
sourcetype=pfsense
Create a firewall Rule
Log in to your pfSense Web Interface. Click on Firewall > Rules.
Click on the green Add arrow to create a new firewall rule to allow traffic on port 7001.
Select Pass for Action. Select the interface you want to monitor. For this example, I selected WAN. Select UDP for Protocol.
Select (others) for Destination Port Range and enter 7001 for From and To. Enter a meaningful description as shown in the screenshot below.
Click on the Save button then click the Apply Changes.
Enable Remote Logging on pfSense
Before PfSense can send logs to your Splunk server, you need to configure pfSense to forward its logs. Follow the steps below to enable remote logging.
Click on the Status > System Logs
Click on Settings
Scroll down to the Remote Logging Options. On the Enable Remote Logging, check the box next to Send messages to remote syslog server.
Select LAN for the Source Address.
Select IPv4 for the IP Protocol
Enter your Splunk Enterprise IP address and the port number for the Remote log server. For this example, 192.168.11.112:7001. Click on the Save button to apply the changes.
Verify pfSense Logs in Splunk
Once pfSense is configured to forward logs and Splunk is set up to receive them, it’s time to verify that everything is working as expected.
Login to your Splunk instances and click on Search & Reporting to search. Run a search query to view the logs from pfSense. For example, you can use a search like index=”pfsense_log.” Splunk has started receiving logs from Pfsense, as shown below.
Click here to download TA-pfsense. Log in with your Splunk credential and click on the Download button.
By default, visibility is set to No. Click on Edit properties and set the visibility to Yes. Click on the Save button to save the changes, as shown in the screenshots below.
Notice the app is now visible.
About The Author
