[pfsense] update pfsense docs #15969
+377
−221
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,47 +1,91 @@ | ||
| # pfSense Integration for Elastic | ||
|
|
||
| ## Overview | ||
| The pfSense integration for Elastic enables the collection of logs from pfSense and OPNsense firewalls. It parses logs received over the network via syslog (UDP, TCP, or TLS), providing visibility into network traffic, security events, and system health. | ||
|
|
||
| This integration facilitates real-time monitoring and analysis of firewall activity, helping with threat detection and network troubleshooting. | ||
|
|
||
| ### How it works | ||
| The integration works by receiving syslog data streams from pfSense or OPNsense devices. Elastic Agent listens on a configured network port (UDP, TCP, or TLS), receives the logs, processes them through its ingest pipelines to parse and structure the data, and then securely sends the data to Elasticsearch for indexing and analysis. | ||
|
|
||
| ## What data does this integration collect? | ||
| The pfSense integration collects and parses the following types of logs: | ||
| * Firewall | ||
| * Unbound (DNS) | ||
| * DHCP Daemon | ||
| * OpenVPN | ||
| * IPsec | ||
| * HAProxy | ||
| * Squid (Web Proxy) | ||
| * PHP-FPM (Authentication events) | ||
|
|
||
| **Note:** The HAProxy dashboards are compatible with the official HAProxy integration. For the best experience, it is recommended to also install the HAProxy integration assets. All other log types not listed above will be dropped. | ||
|
|
||
| ## What do I need to use this integration? | ||
| You need an installed Elastic Agent to act as the collection point for the syslog data. | ||
|
|
||
| ## How do I deploy this integration? | ||
|
|
||
| ### Agent-based deployment | ||
|
|
||
| Elastic Agent must be installed to stream data from the syslog receiver and ship it to Elastic. For more details, check the Elastic Agent [installation instructions](https://www.elastic.co/guide/en/fleet/current/install-elastic-agents.html). | ||
|
|
||
| ### Onboard / configure | ||
|
|
||
| Follow the steps below to configure your pfSense or OPNsense device to send logs to the Elastic Agent. | ||
|
|
||
| #### pfSense Setup | ||
|
|
||
| 1. In the pfSense web interface, navigate to **Status > System Logs**, and then click on the **Settings** tab. | ||
| 2. Scroll to the bottom and check the **Enable Remote Logging** box. | ||
| 3. (Optional) Select a specific source interface to use for log forwarding under **Source Address**. | ||
| 4. In the **Remote log servers** field, enter the IP address and port of your Elastic Agent (e.g., `192.168.100.50:9001`). | ||
| 5. Under **Remote Syslog Contents**, select the logs you wish to forward. | ||
| * To collect logs from packages like HAProxy or Squid, you must select **Everything**. | ||
| * For standard logs, you can select individual services like Firewall, DHCP, OpenVPN, etc. | ||
|
|
||
| #### OPNsense Setup | ||
|
|
||
| 1. In the OPNsense web interface, navigate to **System > Settings > Logging / Targets**. | ||
| 2. Click the **Add** button (plus icon) to create a new logging target. | ||
| 3. Configure the target with the following settings: | ||
| * **Transport**: UDP, TCP, or TLS, matching your Elastic Agent input configuration. | ||
| * **Applications**: Leave empty to forward all logs, or select specific applications. | ||
| * **Levels & Facilities**: Leave with "Nothing Selected". | ||
| * **Hostname**: The IP address of your Elastic Agent. | ||
| * **Port**: The port your Elastic Agent is listening on. | ||
| * **Certificate**: (For TLS only) Select the appropriate client certificate. | ||
| * **Description**: A descriptive name, e.g., "Syslog to Elastic". | ||
| 4. Click **Save**. | ||
|
|
||
| **Important Configuration Note:** | ||
|
|
||
| The pfSense integration supports both the BSD logging format (default on pfSense) and the standard Syslog format (RFC 5424, an option on pfSense). | ||
|
|
||
| The **Syslog format is highly recommended** as it provides the firewall's hostname and includes proper timezone information in the timestamps. | ||
|
|
||
| If you must use the BSD format, you **must** configure the `Timezone Offset` setting in the integration policy. If you do not, timestamps will default to the timezone of the Elastic Agent, which may be incorrect. For more details, see the pfSense [log settings documentation](https://docs.netgate.com/pfsense/en/latest/monitoring/logs/settings.html). | ||
|
|
||
| ### Validation | ||
|
|
||
| 1. On a host connected to the pfSense network, generate traffic that will trigger a firewall log event. For example, attempt a connection that you know will be blocked by a firewall rule. | ||
| 2. Check the pfSense system logs to confirm that new event data is being written. In the pfSense web interface, navigate to **Status > System Logs > Firewall**. | ||
| 3. In Kibana, navigate to the **Discover** tab or open the pre-built **Firewall - Dashboard [pfSense]** dashboard. | ||
| 4. Filter for pfSense data by using the KQL query `event.dataset : "pfsense.log"`. | ||
|
Contributor
There was a problem hiding this comment. This could be a bit confusing, you don't need to filter, if you choose to open the dashboard
Contributor
Author
There was a problem hiding this comment. In step 3 it says Navigate to discover or Open dashboard. If user opens discover then they have to add the query. And for dashboards, I think the query would most likely be there or adding it won't change anything. |
||
| 5. Verify that new log events from the pfSense host are appearing. You should see logs corresponding to the traffic you generated. | ||
|
|
||
| A huge thanks to [a3ilson](https://github.com/a3ilson) for the https://github.com/pfelk/pfelk repo, which is the foundation for the majority of the grok patterns and dashboards in this integration. | ||
|
|
||
| ## Reference | ||
|
|
||
| ### log | ||
| The `log` data stream contains all log types collected from the pfSense or OPNsense device. | ||
|
|
||
| #### log fields | ||
| {{ fields "log" }} | ||
|
|
||
| #### log sample event | ||
| {{ event "log" }} | ||
|
|
||
| ### Inputs used | ||
| {{ inputDocs }} | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(UDP, TCP, or TLS)- TLS isn't a transport, this should probably change to(UDP or TCP)orUDP or TCP, using TLS