Back to listing

OPNSense Extractors

Other Solutions

JSON Extractors for Graylog to parse OPNsense firewall logs

IRQ10
free!

Published

17 Jun 11:17

Last Push

27 Jun 09:01

Marketplace Rating

Discussion

2 Comments

Your Rating

Please sign in to rate this add-on.

Comments

irq10-holding 3 months ago

6/27/21 - Hi - I updated the extractors to the new OPNsense format on GitHub. The original ones were based on the Pfsense log reference that OPNsense was using at that time. New versions are updated on observation as I can't locate an updated log reference from OPNsense to cover all possible use cases.

drc-jdunn 3 months ago

Here is what I am using with the new version (21) of OPNSense. Not sure they are 100% correct, but are working for me
OLD
Regular expression: \s?filterlog:\s+(.*)$

OPNsense: IPv4 TCP: ^.\s?filterlog:\s+.,(in|out),4,.,tcp,.$
OPNsense: IPv4 UDP: ^.\s?filterlog:\s+.,(in|out),4,.,udp,.$
OPNsense: IPv4 ICMP: ^.\s?filterlog:\s+.,(in|out),4,.,icmp,.,(?!(request|reply|unreachproto|unreachport|unreach|timexceed|paramprob|redirect|maskreply|needfrag|tstamp|tstampreply)),.$
OPNsense: IPv4 ICMP Echo Type: ^.\s?filterlog:\s+.,(in|out),4,.,icmp,.,(request|reply),.$
OPNsense: IPv4 ICMP Unreachproto: ^.\s?filterlog:\s+.,(in|out),4,.,icmp,.,unreachproto,.$
OPNsense: IPv4 ICMP Unreachport: ^.\s?filterlog:\s+.,(in|out),4,.,icmp,.,unreachport,.$
OPNsense: IPv4 ICMP Other-Unreachable: ^.\s?filterlog:\s+.,(in|out),4,.,icmp,.,(unreach|timexceed|paramprob|redirect|maskreply),.$
OPNsense: IPv4 ICMP Needfrag: ^.\s?filterlog:\s+.,(in|out),4,.,icmp,.,needfrag,.$
OPNsense: IPv4 ICMP Tstamp: ^.\s?filterlog:\s+.,(in|out),4,.,icmp,.,tstamp,.$
OPNsense: IPv4 ICMP Tstamp-reply: ^.\s?filterlog:\s+.,(in|out),4,.,icmp,.,tstampreply,.$
OPNsense: IPv6 TCP: ^.\s?filterlog:\s+.,(in|out),6,.,(?i)(tcp),.$
OPNsense: IPv6 UDP: ^.\s?filterlog:\s+.,(in|out),6,.,(?i)(udp),.$
OPNsense: IPv6 ICMP: ^.\s?filterlog:\s+.,(in|out),6,.,ICMPv6,.$

NEW
Regular expression: ^.\s?filterlog[[0-9]+]:\s+(.)$

OPNsense: IPv4 TCP: ^.\s?filterlog[[0-9]+]:\s+(.)$+|(in|out),4,.,tcp,$
OPNsense: IPv4 UDP: ^.\s?filterlog[[0-9]+]:\s+(.)$+|(in|out),4,.,udp,$
OPNsense: IPv4 ICMP: ^.\s?filterlog[[0-9]+]:\s+(.)$+|(in|out),4,.,icmp,.,(?!(request|reply|unreachproto|unreachport|unreach|timexceed|paramprob|redirect|maskreply|needfrag|tstamp|tstampreply)),.$
OPNsense: IPv4 ICMP Echo Type: ^.\s?filterlog[[0-9]+]:\s+(.)$+|(in|out),4,.,(request|reply),.$
OPNsense: IPv4 ICMP Unreachproto: ^.\s?filterlog[[0-9]+]:\s+(.)$+|(in|out),4,.,icmp,.,unreachproto,.$
OPNsense: IPv4 ICMP Unreachport: ^.\s?filterlog[[0-9]+]:\s+(.)$+|(in|out),4,.,icmp,.,unreachport,.$
OPNsense: IPv4 ICMP Other-Unreachable: ^.\s?filterlog[[0-9]+]:\s+(.)$+|(in|out),4,.,icmp,.,(unreach|timexceed|paramprob|redirect|maskreply),.$
OPNsense: IPv4 ICMP Needfrag: ^.\s?filterlog[[0-9]+]:\s+(.)$+|(in|out),4,.,icmp,.,needfrag,.$
OPNsense: IPv4 ICMP Tstamp: ^.\s?filterlog[[0-9]+]:\s+(.)$+|(in|out),4,.,icmp,.,tstamp,.$
OPNsense: IPv4 ICMP Tstamp-reply: ^.\s?filterlog[[0-9]+]:\s+(.)$+|(in|out),4,.,icmp,.,tstampreply,.$
OPNsense: IPv6 TCP: ^.\s?filterlog[[0-9]+]:\s+(.)$+|(in|out),6,.,(?i)(tcp),.$
OPNsense: IPv6 UDP: ^.\s?filterlog[[0-9]+]:\s+(.)$+|(in|out),6,.,(?i)(udp),.$
OPNsense: IPv6 ICMP: ^.\s?filterlog[[0-9]+]:\s+(.)$+|(in|out),6,.,ICMPv6,.*$

Hope it helps and other can validate they are correct

Please sign in to comment.

Back to listing