pfSense Firewall Security Content Pack

Hint: The pfSense Firewall Security Content Pack was first introduced in Illuminate 3.3.

pfSense and OPNsense are free, open-source firewalls and router software based on FreeBSD. They provide advanced networking features and can be used in a variety of network configurations.

This technology pack will process pfSense and OPNsense messages.

Requirement(s)

Supported versions include Sense CE edition 2.6 and OPNsense 23.1.
Graylog server with a valid Enterprise license running Graylog 5.0.3+.

Supported Logs

dhcpd (DHCP logs)
filterlog (Firewall logs)
nginx / lighttpd (Traffic logs)
unbound (DNS logs, query)
sshd (Login/Logout via SSH)
GUI login (Login)
sshguard (SSHGuard logs)
audit / php-fpm (Authentication)
php-fpm (User creation and deletion)
kea-dhcp4 (dhcp logs)

Beta support:

ntpd (NTP logs)
openvpn (OpenVPN logs)
radvd (Routing advertisement logs)
suricata (Intrusion Detection)
snort (Snort 2.9, Intrusion Detection)
/usr/sbin/cron (Cron System logs)
dpinger (Gateway logs)
charon (IPSec)
dnsmasq (DNSMasq)
pkg_static (Packet Manager)
shutdown (Shutdown command)
rc.gateway_alarm (Gateway alarm)
snmpd (SNMP)
arpwatch (Arpwatch)
squid (Proxy Server, requires a specific input)
Bind (Alternative DNS Server)
tailscaled (Tailscale successful connection)

Hint: These are mostly additional pfSense/OPNsense packages (not installed or configured by default). The pack will parse out at least the basic fields of the aforementioned packs but some may require adjusted logging settings.

Stream Configuration

This technology pack includes one stream:

“Illuminate:pfsense_firewall Messages”

Hint: If this stream does not exist prior to the activation of this pack, then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes one index set definition:

“pfsense_firewall Logs”

Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Format Examples

dhcpd (DHCP logs)

Copy

DHCPREQUEST for 192.168.1.50 from 52:54:00:06:aa:11 (tsterkal) via vtnet1

filterlog (Firewall logs)

Copy

71,,,1eb94a38e58994641aff378c21d5984f,vtnet0,match,block,in,4,0x0,,255,43376,0,DF,17,udp,73,192.168.122.40,224.0.0.251,5353,5353,53

nginx / lighttpd (Traffic logs)

Copy

192.168.1.50 192.168.1.10 - [23/Mar/2023:14:48:28 +0000] "GET /api/core/system/status HTTP/2.0" 200 317 "https://192.168.1.10/services_dhcp.php?if=lan" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"

unbound (DNS logs)

Copy

[61142:0] info: reply from <cnn.com.> 205.251.192.47#53

Copy

[98871:0] query: 192.168.1.100 safebrowsing.googleapis.com. A IN

sshguard (SSHGuard logs)

Copy

Attack from "192.168.7.1" on service 100 with danger 10.

sshd (Login/Logout via SSH)

Copy

Accepted keyboard-interactive/pam for admin from 192.168.1.100 port 53214 ssh2

audit / php-fpm (Authentication)

Copy

/index.php: Successful login for user 'root' from: 192.168.1.50

login (Login to a shell)

Copy

login on ttyv0 as root

Logs in Beta Support

ntpd (NTP logs)

Copy

65.182.224.60 local addr 192.168.122.34 -> <null>

openvpn (OpenVPN logs)

Copy

myusercert/192.168.1.100:35609 SENT CONTROL [myusercert]: 'PUSH_REPLY,redirect-gateway def1,route-gateway 192.168.2.1,topology subnet,ping 10,ping-restart 60,ifconfig 192.168.2.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)

radvd (Routing advertisement logs)

Copy

ignoring RA from fe80::abcd:1234:5678:aaaa on igb0: not enough addresses for subnet

suricata (Intrusion Detection)

Copy

[46424]: [Drop] [1:2001219:20] ET SCAN Potential SSH Scan [Classification: Attempted Information Leak] [Priority: 2] {TCP} 118.123.10.10:1566 -> 192.168.1.25:22

snort (Snort 2.9)

Copy

[119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.1.100:49922 -> 192.168.1.1:3128

/usr/sbin/cron (Cron System logs)

Copy

(root) CMD (/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot)

dpinger (Gateway logs)

Copy

dpinger[11000]: WAN_GW 198.51.100.1: Alarm latency 4807us stddev 1790us loss 21%

charon (IPSec)

Copy

16[CFG] loaded 0 RADIUS server configurations

Parsing is only for charon process and pid.

dnsmasq (DNSMasq)

Copy

1 192.168.1.50/49952 query[A] cnn.com from 192.168.1.50

pkg_static / pkg (Packet Manager)

Copy

opnsense upgraded: 23.1 -> 23.1.4_1

shutdown (Shutdown command)

Copy

power-down by root:

rc.gateway_alarm (Gateway alarm)

Copy

>>> Gateway alarm: WAN_DHCP (Addr:192.168.122.1 Alarm:0 RTT:1.241ms RTTsd:10.968ms Loss:0%)

snmpd (SNMP)

Copy

disk_OS_get_disks: adding device 'cd0' to device list

php-fpm (User create and deletion)

Copy

/system_usermanager.php: Configuration Change: admin@192.168.1.100 (Local Database): Successfully deleted user: stefan

arpwatch (Arpwatch)

Copy

new station 192.168.1.100 52:54:00:06:57:10

kernel

Copy

vtnet0: promiscuous mode enabled

squid (Proxy Server, requires a specific input)

Copy

1680109171.634 171177 192.168.1.100 TCP_TUNNEL/200 111 CONNECT 192.169.3.4:443 - HIER_DIRECT/10.10.10.10 -

php/php_pfb (Software Updates/News)

Copy

[pfBlockerNG] Starting cron process.

Bind/named (Alternative DNS Server)

Copy

queries: info: client @0x802512d60 192.168.1.100#54251 (heise.de): query: heise.de IN A +E(0)K (192.168.1.1)

tailscaled (Tailscale connection)

Copy

UDP{100.121.10.10:60074 > 192.168.2.10:53} 70 ok

Requirements

The pack allows you to select one of three different ways to route the logs into the right pack.

Option 1 (via device name):

The name of the pfSense/OPNsense device must start with pfSense or OPNsense. (Note these titles are case sensitive.)

Option 2 (via static field):

The required field name is RoutedFrom, and the required value is Route - PFSense Logs. Both values are key sensitive.

Option 3 (via specific input):

A pfSense/OPNsense specific input on the Graylog server and an Illuminate lookup override can also be configured.

Graylog Server Configuration for a Specific Input

1. Create a new Syslog input and choose an unused port. (If an input already exists that only handles pfSense/OPNSense logs, use that input. If using a new or existing forwarder, create a new input as part of the forwarder setup process or use the input already associated with an existing forwarder.)

2. Once created, select Show received messages to obtain the input ID. This will pull up a search window with the "All Time" timeframe. If there is a large number of logs, you might want to adjust the timeframe to speed up the process.

3. Copy the gl2_source_input value.

4. Navigate to Enterprise > Illuminate and click on the Customization tab.

5. Locate lookup_adapter_input_routing and select Edit. For the content_name key, enter pfsense_firewall. For the input_id value, enter the gl2_source_input ID copied earlier.

6. Click Configure value to confirm.

Now, all logs sent to the configured input will be identified as pfSense/OPNSense logs and will allow for proper Illuminate processing.

pfSense/OPNsense Configuration

1. Enable remote logging on pfSense/OPNsense and configure your logging target.

2. Select the logs what you want to see. Some services require to select a setting within that service to produce logs. Most log sources are not activated by default. Some services like unbound/dns produce a high volume of logs.

3. The Hostname is the IP of your Graylog server.

4. Set a port. (Note it must match a Syslog input in Graylog.) The default protocol is udp.

5. Select or enable syslog rfc5424.

What is Provided

Rules to normalize and enrich pfSense and OPNSense log messages.

pfSense/OPNsense Log Message Processing

The Illuminate processing of pfSense/OPNsense log messages provides the following:

Field extraction, normalization, and message enrichment for pfSense/OPNsense log messages.
GIM categorization of the following messages:

Event Type	GIM Category	GIM Subcategory
DHCPACK	dhcp	dhcp.acknowledgement
DHCPREQUEST	dhcp	dhcp.request
DHCPOFFER	dhcp	dhcp.offer
DHCPDISCOVER	dhcp	dhcp.discovery
network traffic	http	http communication
GUI login	authentication	authentication.logon
GUI logout	authentication	authentication.logoff
ssh login	authentication	authentication.logon
pw_admin_change	iam	iam.object modify
pw_user_change	iam	iam.object modify
login_failed	authentication	authentication.logon
created user	iam	iam.object modify
deleted user	iam	iam.object modify
snort alert	alert	alert.default
suricata alert	alert	alert.default
sshguard attack alert	alert	alert.default
ipv4 traffic	network	network.network connection
ipv6 traffic	network	network.network connection
tailscale connection	network	network.network connection
squid connection	network	network.default
ipv4 icmp traffic	network	network.default
ipv6 icmp traffic	network	network.default
ipv4 igmp traffic	network	network.default
snmpd connection	network	network.default
dns query	name resolution	dns query

pfSense/OPNsense Spotlight Content Pack

pfSense/OPNsense offers two dashboards: a dashboard with overviews and a dashboard with filterlogs and alerts.