Splunking pfSense

I’ve decided to switch to Splunk for my syslog parser. I was using Syslog Watcher, however I realized that I need something that I can customize to correctly parse the data coming from pfSense. The reason being is because of the way pfSense generates the firewall events. The output is split into two lines instead of one; this format causes a problem with many popular syslog & SIEM applications. Combining the lines into one will be required if you want to do proper analytics & reporting. With just a few tweaks, Splunk handles the parsing the way I want it to.

I run Splunk 6.1 Enterprise on a CentOS server. The RPMs can be found on splunk.com.

Here is a link to a quick youtube video that gives a quick run through of the installation.
Installing Splunk 6 on Linux (CentOS, Red Hat).

A few commands and things to note:

Start/Stop/Restart Splunk

$SPLUNK_HOME/bin/splunk start <stop, restart>

Configure Splunk to start at boot time with a startup (init) script
$SPLUNK_HOME/bin/splunk enable boot-start

Splunk runs on default port 8000

 How to configure Splunk to handle pfSense data
This is the really cool thing about Splunk. It is the ultimate SIEM application in terms of customization. There are two config files that give you the ability to parse the data and output it the way you want:

props.conf – allows Splunk to recognize the multi-line pfSense events as one.

transforms.conf – the parsing of the data received into the fields that you want to see.

Full credit goes to this blog for the awesome regex tailor-made to parse pfSense.

Splunk Configuration

  1. Check that pfSense is configured to send log messages to remote syslog server.
  2. From the Splunk Web GUI go to Settings – Data inputs – UDP.

This is where Splunk is configured to listen on UDP 514 (syslog). Here are my custom settings:


Now you can go to the App: Search & Reporting and you will see your indexed data. Click the Data Summary button and it will launch a window where you can view the various sources that Splunk is listening to.


4. You can use the search field to customize your search. The results can be saved as a report, dashboard or alert. My query displays in table format showing the fields: _time, src_ip, src_port, dest_ip, dest_port, protocol, action.


The result is pretty neat compared to reading the raw data format.

Here are some helpful Splunk links for Search. I still have some playing around to do to create some nice visually appealing charts and reports. I plan on making some custom search queries to cover various time periods such as: 24hr, week, month and year, to make it easy to pull statistics and perform analytics.

  1. The Search Tutorial
  2.  The Search Manual

Happy Splunking 🙂


pfSense – Unified Threat Management Home Lab Project

…on why pfSense makes a lot of Sense: pfsense.org

  • Go far beyond the consumer grade WiFi gateway that sits on the shelf, collects dust and runs outdated firmware. No worries, you can make use of it as an AP.
  • Have an old PC lying around? Turn it into a pfSense box; It’s the green way of thinking.
  • Amazing Features: Stateful Firewall, Hardware Failover, Multi-WAN, Load Balancing, VPN, Dynamic DNS, Captive Portal, DHCP Server etc.
  • Additional 3rd Party Packages: Squid Proxy, Snort IDS/IPS, pfBlocker and more…..
  • I highly recommend purchasing a copy of “pfSense – The Definitive Guide”. A great read, props to Chris Buechler and Jim Pingle.
  • Great user community and support to help you when you find yourself banging your fist or head against your desk.

For InfoSec folks it is an awesome project to not only protect the home network but reap the benefits of learning about firewalls, networking, intrusion detection and traffic analysis. I’ve used multi-port NICs and a couple of switches for LAN segmentation so I can test malware and various security tools without disrupting my home network and facing the wrath of my wife for bringing down her Facebook session. “Sorry Honey!”

My current LAB design:


  • pfSense box: Lenovo M58P (SFF), 1TB HDD, 8GB RAM. 3 x LAN ports
  • D-Link DIR-628 WiFi
  • MikroTik RB250GS switch
  • Netgear GS108T switch
  • Custom PC: Asus Maximus V Gene, Core I5, 16GB RAM, 4 x HDD, 3 x LAN port, Host OS = Windows 7 + Mixed Windows/Linux VMs

Additional software:

  • Syslog Watcher – snmpsoft.com  – Syslog parsing and reporting – Running on Windows 7 Host PC
    Replaced with Splunk. See my post
  • Snorby – snorby.org – Snort NIPS monitoring and traffic analysis – Running on CentOS VM

Stay tuned for more…

pfSense snorby syslog_watcher