NEW Elastic Agent has official experimental support for pfSense

[ObjectiveTruth]

Hey All,
I love this project and use it in my homelab. It's been unbelievably useful.
I was playing around with Elasticsearch (upgrading) and I noticed the new pfSense integration being officially supported!

Not sure if this will deprecate this project or if there can be mutual learning from both but though I'd leave it here. Don't shoot the messager! BTW this includes, dashboards

Currently the integration supports parsing the Firewall, Unbound, DHCP Daemon, OpenVPN, IPsec, and HAProxy logs. All other events will be dropped

https://github.com/elastic/integrations/tree/master/packages/pfsense

[a3ilson]

@ObjectiveTruth - Thanks!

I just took a look and appears they reaped this repo (the dashboards are exactly the same, many of the fields are similar, but it's all good). Hopefully it grows out of the experimental stage and adds support to OPNsense.

This project is coming to an end but glad it will be natively supported by @elastic.

[itguy327]

Project coming to an end?? That makes me sad, this really got me into time series and dashboard and monitoring all kinds of stuff. Thank you for all your work

[a3ilson]

@itguy327 - it's not dead yet... although I haven't had time to dedicate to the project. I plan to continue supporting but if that changes it'll be posted and/or the repo will be locked/archived.

[BruceHowells]

Not to tell you how to use your time, but on a very initial glance, this has a definite feeling of "tick the box" and not actually being too focused on the results. Just the first example I've found so far - assuming UDP syslog for Suricata along with everything else has Known Bad consequences.

[a3ilson]

@BruceHowells are you referring to this repo or the elastic integration?

[BruceHowells]

The elastic repo. Again, I’ve only taken a cursory look, maybe it’s documented somewhere. And yes, I agree an acknowledgement would have been very appropriate. Sadly, I’m not somewhere with any Elastic sales pressure anymore, or I’d have a Pointed Discussion about that. From: Andrew ***@***.***> Sent: Saturday, January 1, 2022 10:18 AM To: pfelk/pfelk ***@***.***> Cc: Bruce Howells ***@***.***>; Mention ***@***.***> Subject: Re: [pfelk/pfelk] NEW Elastic Agent has official experimental support for pfSense (Discussion #382) @BruceHowells <https://github.com/BruceHowells> are you referring to this repo or the elastic integration? — Reply to this email directly, view it on GitHub <#382 (reply in thread)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/ADGH2YSXM2KWYJKTRFRDP73UT5AOPANCNFSM5LCWMDJQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> . You are receiving this because you were mentioned. <https://github.com/notifications/beacon/ADGH2YQROYHJS3SSOYRGNZLUT5AOPA5CNFSM5LCWMDJ2YY3PNVWWK3TUL52HS4DFWFCGS43DOVZXG2LPNZBW63LNMVXHJKTDN5WW2ZLOORPWSZGOAAOONKQ.gif> Message ID: ***@***.*** ***@***.***> >

[ObjectiveTruth]

Looks like they gave you a shout out

A huge thanks to a3ilson(opens in a new tab or window) for the https://github.com/pfelk/pfelk(opens in a new tab or window) repo, which is the foundation for the majority of the grok patterns and dashboards in this integration.

Taken from the pfsense/opnsense elasticsearch integrations page!

👏

[a3ilson]

I saw that a few months ago when providing feedback (opened an issue to request OPNsense support). Although the majority of this repo was a result of the contributions and support of the community.

I haven't had the time to dedicate and keep this updated...hopefully I'll have some time/availability to refine a few issues (revised log output formats are breaking grok patterns).

Thanks!

[FlorianHeigl]

i was trying the downstream / elastic version a few times now but i'm not sure if it works all that well. please keep your pretty repo aalive, no matter if you can do changes :-)

[a3ilson]

Thank you!

Most of my free time has been dedicated towards various certification courses and house projects. The last of the demanding certification courses will be done by the end of the month and hopefully no more house projects after August.

I’m planning on testing updates this fall: ECS compliance (updated ecs version) and testing the mutate split (comma) vs grok (better efficiency).