I recently came across a blog post that inspired me to install ELK on a server and pipe the log data to it from pfsense. Fantastic article, fantastic dashboard and wonderful inspiration. I banged my way through things armed with the blog post and several Internet searches. In the end I now have this to admire at will:
I have made several modifications along the way as I plan to break out and visualize much more than just the firewall data which is seen in the above screen shot. More to come on that later hopefully!
Some reference pages:
- Kibana Logstash ElasticSearch | Unindexed Fields
And the author of the original post that inspired me to get moving is working on updates:
I changed the map display to be heat-map from “Scaled Circle Markers”. Looks much nicer:
Tracking other events by time:
Grok patterns file can be found HERE
Logstash configuration files:
There is a section at the bottom of the patterns file for radius log entries. I have it commented out as pfsense is no longer acting as my radius server. The more recent versions of freeradius properly support TLS and those are not available on pfsense as of yet. The largest issue this causes is android v6.x clients can not authenticate.
I had to rebuild my ELK server (unexplained death). After some reading I have exported the external firewall dashboard. The file can be found : here
- Saved Searches Export – here