This is a set of extractors for use within Graylog, to parse the output of
Pfsense filter logs.
- Open the Graylog administrative interface
- Open the "System/Inputs" menu
- Select "Inputs"
- Select "Manage Extractors" for the input that receives Pfsense logs
- Select "Actions" menu
- Select "Import extractors"
- Paste the contents of extractors.json into the text box
- Select the button "Add extractors to input"
- Open your Graylog search
- Search for
- The search results should now be showing all TCP/UDP/ICMP data as separate fields
This is intended to be a complete implementation of the Pfsense BNF output
Note that a few of the icmp return types are not yet implemented, due to me
not yet having example traffic to test them against!
I tried a few other sets of Graylog content packs and extractors. However the
ones I tried had a lot of embedded regexp and pattern duplication. This caused
them to miss multiple pfsense filter messages.
The rules in this repository are instead intended to parse as much as possible.
This allows them to be easily extended further, should the specifications
evolve. This also makes it less likely for an overly-specific rule to
completely miss parsing an entire pfsense log line.
These extractors generate a lot of extra/intermediate fields. This may be
overly verbose, or it may aid in debugging/extending, depending on your point