jsanagustin
commented
2 years ago If you haven't figured it out by now...
I was also having problems getting logs to parse. I almost gave up when I saw that your issue didn't have any responses. I had only been testing with one instance of pfsense. I decided to have another pfsense send logs to splunk as well. To my surprise I saw it's logs were being parsed. So I compared the log settings between the two pfsense instances. I saw that the pfsense whose logs were being parsed had its log message format set to BSD. I set the other pfsense to use the BSD format instead of syslog and that fixed it.
jrockstedt
I have set up a completely new Splunk instance to start collecting logs from my pfSense boxes in a single place, the ONLY thing on this Splunk instance right now is one UDP collector and the TA-pfsense app. For some reason the app is not correctly reading the logs and changing the sourcetype or filtering out the data. I have searched around and tried several things with no luck and even tried changing the couple of lines @michaelw comitted in his pull request. Below is a sample of one of the filterlog lines being received by Splunk. Any advise to correct this is appreciated!
1 2021-08-11T07:55:49.751841-05:00 RT-TEST04 filterlog 34723 - - 62,,,1531346714,vmx0,match,pass,in,4,0x0,,63,49205,0,DF,6,tcp,60,10.20.0.238,10.20.1.30,53048,10050,0,S,601779722,,64240,,mss;sackOK;TS;nop;wscale