20-interfaces.conf / network.name does not display on ELK

[s0p4LiN]

Hello a3ilson,

I have setted a pfelk for our old pfsense 2.4.4p3, the logs are coming in but it seems I can't see the network.name section.
I use only firewall-1 conf.

# 20-interfaces.conf
################################################################################
# Version: 22.01                                                               #
# Required: No - Optional                                                      #
# Description: Adds interface.alias and network.name based on interface.name   #
# The interface.alias and network.name fields may be amended as desired        #
################################################################################
#
### firewall-1 ###
filter {
  if [host][name] == "first.network.local" {
    ### Change interface as desired ###
    if [interface][name] =~ /^vmx2$/ {
      mutate {
        add_field => { "[interface][alias]" => "WAN1" }
        add_field => { "[network][name]" => "MOJI" }
      }
    }
    ### Change interface as desired ###
    if [interface][name] =~ /^vmx1$/ {
      mutate {
        add_field => { "[interface][alias]" => "LAN1" }
        add_field => { "[network][name]" => "PARIS" }
      }
    }
    ### Change interface as desired ###
    if [interface][name] =~ /^vmx0$/ {
      mutate {
        add_field => { "[interface][alias]" => "WAN2" }
        add_field => { "[network][name]" => "FREE" }
      }
    }
    ### Change interface as desired ###
    if [interface][name] =~ /^em0$/ {
      mutate {
        add_field => { "[interface][alias]" => "LAN2" }
        add_field => { "[network][name]" => "ANGOU" }
      }
    }
   ### Change interface as desired ###
    if [interface][name] =~ /^ovpns3$/ {
      mutate {
        add_field => { "[interface][alias]" => "OPENVPN" }
        add_field => { "[network][name]" => "VPNREMOTE" }
      }
    }
    ### Change interface as desired ###
    if [interface][name] =~ /^ovpns1$/ {
      mutate {
        add_field => { "[interface][alias]" => "OPENVPN" }
        add_field => { "[network][name]" => "VPNLANTOLAN" }
      }
    }
     ### Change interface as desired ###
    if [interface][name] =~ /^lo0$/ {
      mutate {
        add_field => { "[interface][alias]" => "Link-Local" }
        update => { "[network][direction]" => "%{[network][direction]}bound" }
        update => { "[network][type]" => "ipv%{[network][type]}" }
      }
    }
    ### Fallback interface ###
    if ![interface][alias] and [interface][name] {
        mutate {
          add_field => { "[interface][alias]" => "%{[interface][name]}" }
          add_field => { "[network][name]" => "%{[interface][name]}" }
      }
    }
  }
}

And as you can see below, there is no network.name

The interface name is displayed.

I have another pfELK for pfsense 2.5.2 and it works like a charm, is it because of the 2.4.4p3 version ?

[s0p4LiN]

The other pfelk working is on version 20.10 and the one I use for pfsense 2.4.4p3 is on 22.01

[a3ilson]

@n4rkip0d - the update to version 22.01 removed the multiple listening ports and the various types (e.g. firewall-1, firewall-2 etc...). With the 20-interfaces.conf you'll need to update line 11 (if [host][name] == "first.network.local" {) to the hostname of your pfSesne instance. So if your hostname was my.pfsense.net it would look like: if [host][name] == "my.pfsense.net" {

This will work with pfSense 2.5.0+ but prior versions do not contain the hostname in the remote logs. Ideally the would best solution would be for @pfsense to utilize syslog-ng rather than old/superseded formats.

The solution would be to update pfSense or I can create a modified 20-interfaces.conf file for you setup. Is the pfelk instance listening for multiple pfSense logs or just one?

[s0p4LiN]

Thank you, yes I changed the condition with my 2.4.4p3 pfsense hostname, but as you said, it is a prior version,it can not detect hostname in the logs.

The pfelk instance is only listening for my 2.4.4p3 instance. If you have a modified 20-interfaces.conf that will display the interface name, I will not refuse this kind of help :)

We have a second pfelk instance for our 2.5.2 pfsense hardware firewalls.

[a3ilson]

@n4rkip0d - use the contents below to add a new file named 02-legacy_pfsense_fix.conf and update 20-interfaces.conf to the latest version. Next, amend both 02-legacy_pfsense_fix.conf and 20-interfaces.conf host.name value from first.network.local to any desired name.

# 02-types.conf
################################################################################
# Version: 22.CUSTOM                                                           #
# Required: Yes                                                                #
# Description: For use with pfSense <2.5.0 and those using pfSense >2.5.0 with #
# default 'Log Message Format' set to 'BSD (RFC 3164, default' - pfSense       #
# update to syslog-ng and get with the times.                                  #
################################################################################
#
filter {
  if [type] == "firewall" {
    mutate {
      add_field => [ "[host][name]", "first.network.local" ]
    }
  }
}

[s0p4LiN]

Thank you ! I will check if it works.