PFSense + Splunk - Security on the cheap
PFSense is a wonderful piece of free software. Using the free Splunk along with PFSense can give you quite a effective way to start securing your environment without having to spend a dime.
In this post we will not look at configuring PFSense packages. However, we will look at configuring forwarding of the logs below to a remote Syslog server. In this case we will use Splunk to parse
1. Parsing Firewall logs
2. Parsing ARPWatch Logs
3. Parsing Snort Logs
4. Parsing DHCP Server Logs
To configure PFSense to forward logs we must do the following:
1. From the "Diagnostics" tab, select "System Activity"
2. In the "Systems Activity" window, ensure the following are checked:
(i) Show log entries in reverse order (newest entries on top)
(ii) Log packets matched from the default block rules put in the ruleset
(iii) Log packets matched from the default pass rules put in the ruleset
(iv) Log packets blocked by 'Block Bogon Networks' rules
(v) Log packets blocked by 'Block Private Networks' rules
(vi) Log errors from the web server process.
3. Optional - if you don't wish to write the logs to the local firewall ensure the following is checked
(i) Disable writing log files to the local disk
4, From the "Source Address" drop down select "LAN"
5. Select your "IP Protocol" - I'm sure this would be IPv4
6. For "Enable Remote Logging", ensure " Send log messages to remote syslog server" is checked
7. For "Remote Syslog Servers", enter the IP address of your Splunk Instance
8. For "Remote Syslog Contents", ensure "Everything" is checked - unless you wish to be specific
Below shows a snapshot of what we should be doing.
Above image shows part of the configuration needed for PFSense to send its logs to Splunk
Next post we will look at parsing this data out in Splunk
In this series:
1. PFSense + Splunk - Security on the cheap
2. PFSense + Splunk - Security on the cheap - Parsing Firewall logs
3. PFSense + Splunk - Security on the cheap - Parsing ARPWatch Logs
4. PFSense + Splunk - Security on the cheap - Parsing Snort Logs
5. PFSense + Splunk - Security on the cheap - Parsing DHCP Server Logs