pf-logs Log Parser

Parses the packet filter logs which are generated by pfSense and OPNsense and other FreeBSD and OpenBSD systems.

1# For more information see

2# https://github.com/opnsense/ports/blob/master/opnsense/filterlog/files/description.txt

3# and

4# https://docs.netgate.com/pfsense/en/latest/monitoring/logs/raw-filter-format.html

5filter: "evt.Parsed.program == 'filterlog' or evt.Parsed.message matches '^filterlog:'"

6name: firewallservices/pf-logs

7description: "Parse packet filter logs"

8format: 2.0

9pattern_syntax:

10 # WORD including special characters

11 PF_WORD: '%{USERNAME}'

13 # rulenr, subrulenr, anchorname, label | "0", interface, reason, action, dir

14 PF_BASE: '%{INT:rule},(%{INT:sub_rule})?,(%{WORD:anchorname})?,(%{WORD:tracker}| 0),%{PF_WORD:iface},%{WORD:reason},%{WORD:action},%{WORD:direction}'

16 # tos, ecn, ttl, id, offset, flags, protonum, protoname, length, src, dst

17 PF_IPV4_DATA: '%{BASE16NUM:ip4_tos},(%{INT:ip4_ecn})?,%{INT:ip4_ttl},%{INT:ip4_id},%{INT:ip4_offset},%{WORD:ip4_flags},%{INT:ip4_proto_id},%{WORD:ip4_proto}'

18 # class, flow, hoplimit, protoname, protonum

19 PF_IPV6_DATA: '%{BASE16NUM:ip6_class},%{BASE16NUM:ip6_flow_label},%{INT:ip6_hop_limit},%{WORD:ip6_proto},%{INT:ip6_proto_id}'

20 # ipversion, ..., length, src, dst

21 PF_IP: '%{INT:ip_ver},(%{PF_IPV4_DATA}|%{PF_IPV6_DATA}),%{INT:length},%{IP:src_ip},%{IP:dst_ip}'

23 # srcport, dstport, datalen

24 PF_UDP_DATA: '%{POSINT:src_port},%{POSINT:dst_port},%{INT:data_length}'

25 # srcport, dstport, datalen, flags, seq, ack, window, urg, options

26 PF_TCP_DATA: '%{WORD:tcp_flags},%{INT:sequence_number},(?:%{INT:ack_number})?,%{INT:tcp_window},(%{DATA:urg_data})?,%{GREEDYDATA:tcp_options}'

27 # both protocols start with the same three values

28 PF_PROTOCOL: '%{PF_UDP_DATA}(,%{PF_TCP_DATA})?'

29grok:

30 pattern: "%{PF_BASE},%{PF_IP},%{PF_PROTOCOL}"

31 apply_on: message

32statics:

33 - meta: log_type

34 value: pf

35---

36filter: "evt.Meta.log_type == 'pf' and evt.Parsed.action == 'block'"

37name: firewallservices/pf-logs-drop

38description: "Identify dropped packets"

39onsuccess: next_stage

40statics:

41 - meta: service

42 expression: "evt.Parsed.ip4_proto != nil ? evt.Parsed.ip4_proto : evt.Parsed.ip6_proto"

43 - meta: log_type

44 value: pf_drop

45 - meta: source_ip

46 expression: "evt.Parsed.src_ip"

47 - meta: rulenr

48 expression: "evt.Parsed.rule"

49 - meta: ruleid

50 expression: "evt.Parsed.tracker"

51 - meta: iface

52 expression: "evt.Parsed.iface"

Hub configuration

« pf-logs »
v0.6 by firewallservices
Log parser

Hub configuration

« pf-logs »v0.6 by firewallservicesLog parser

« pf-logs »
v0.6 by firewallservices
Log parser