Sunday, May 3, 2015

PFSense + Splunk - Security on the cheap

PFSense + Splunk - Security on the cheap

PFSense is a wonderful piece of free software. Using the free Splunk along with PFSense can give you quite a effective way to start securing your environment without having to spend a dime.

In this post we will not look at configuring PFSense packages. However, we will look at configuring forwarding of the logs below to a remote Syslog server. In this case we will use Splunk to parse

1. Parsing Firewall logs
2. Parsing ARPWatch Logs

3. Parsing Snort Logs
4. Parsing DHCP Server Logs

To configure PFSense to forward logs we must do the following:
    1.    From the "Diagnostics" tab, select "System Activity"
    2.    In the "Systems Activity" window, ensure the following are checked:
        (i)        Show log entries in reverse order (newest entries on top)
        (ii)    Log packets matched from the default block rules put in the ruleset
        (iii)    Log packets matched from the default pass rules put in the ruleset
        (iv)     Log packets blocked by 'Block Bogon Networks' rules
        (v)         Log packets blocked by 'Block Private Networks' rules
        (vi)     Log errors from the web server process.
    3. Optional - if you don't wish to write the logs to the local firewall ensure the following is checked  
        (i)     Disable writing log files to the local disk
    4,    From the "Source Address" drop down select "LAN"
    5.    Select your "IP Protocol" - I'm sure this would be IPv4
    6.     For "Enable Remote Logging", ensure " Send log messages to remote syslog server" is checked
    7.  For "Remote Syslog Servers", enter the IP address of your Splunk Instance
    8.    For "Remote Syslog Contents", ensure "Everything" is checked - unless you wish to be specific

Below shows a snapshot of what we should be doing.

Above image shows part of the configuration needed for PFSense to send its logs to Splunk

Next post we will look at parsing this data out in Splunk

In this series:
1. PFSense + Splunk - Security on the cheap
2. PFSense + Splunk - Security on the cheap - Parsing Firewall logs
3. PFSense + Splunk - Security on the cheap - Parsing ARPWatch Logs
4. PFSense + Splunk - Security on the cheap - Parsing Snort Logs
5. PFSense + Splunk - Security on the cheap - Parsing DHCP Server Logs


  1. Thanks, I have PFsense sending logs to Splunk running on Ubuntu 14.04 server. When I check pfsense internal logs, everything works fine, but when I go to Splunk, it shows me output that's not in pfsense and the date is far off.

    1. Hey Sandra,
      Are you seeing any PFSense logs in Splunk? Basically, anything that looks like it is coming from PFSense. As it relates to the time, it is quite possible your Ubuntu server and your PFSense may have two different time configurations. Ensuring both devices have the same time configuration.

      Hope this helps.

  2. I really appreciate information shared above. It’s of great help. If someone want to learn Online (Virtual) instructor lead live training in IBM QRADAR SIEM , kindly contact us
    MaxMunus Offer World Class Virtual Instructor led training On IBM QRADAR SIEM. We have industry expert trainer. We provide Training Material and Software Support. MaxMunus has successfully conducted 100000+ trainings in India, USA, UK, Australlia, Switzerland, Qatar, Saudi Arabia, Bangladesh, Bahrain and UAE etc.
    For Demo Contact us.
    Saurabh Srivastava
    Skype id: saurabhmaxmunus
    Ph:+91 8553576305 / 080 - 41103383