Hi, currently in the PFSense integration everything that is not recognized by the pipeline is being dropped. So I am missing quite a few logs. Now I am new to these integrations and don't know how to properly request such changes. In my testing environment I made changes to get the SNORT messages processed. I think the following changes are needed to start accepting/parsing basic SNORT messages. Maybe someone can take a look at this and test/merge these changes to the pfsense integration?
Hi, currently in the PFSense integration everything that is not recognized by the pipeline is being dropped. So I am missing quite a few logs. Now I am new to these integrations and don't know how to properly request such changes. In my testing environment I made changes to get the SNORT messages processed. I think the following changes are needed to start accepting/parsing basic SNORT messages. Maybe someone can take a look at this and test/merge these changes to the pfsense integration?
https://github.com/elastic/integrations/blob/main/packages/pfsense/data_stream/log/elasticsearch/ingest_pipeline/default.yml between line 88 and 89 add:
change line 90:
if: '!["filterlog", "openvpn", "charon", "dhcpd", "dhclient", "dhcp6c", "unbound", "haproxy", "php-fpm", "squid", "snort"].contains(ctx.event?.provider)'
add a new file called "snort.yaml" in location: https://github.com/elastic/integrations/tree/main/packages/pfsense/data_stream/log/elasticsearch/ingest_pipeline