{ "name":"PFsense Content Pack", "description":"Input, Extractors, Streams, Lookup Table, Data Adapter and Cache Adapter", "category":"Firewall", "inputs":[ { "id":"5a982448687cf8128c10ce6e", "title":"Pfsense-Logs", "configuration":{ "expand_structured_data":false, "recv_buffer_size":262144, "port":5442, "override_source":null, "force_rdns":false, "allow_override_date":true, "bind_address":"0.0.0.0", "store_full_message":false }, "static_fields":{ }, "type":"org.graylog2.inputs.syslog.udp.SyslogUDPInput", "global":false, "extractors":[ { "title":"PFsenseExtractor", "type":"GROK", "cursor_strategy":"COPY", "target_field":"", "source_field":"message", "configuration":{ "grok_pattern":"%{PFSENSE_LOG_ENTRY}" }, "converters":[ ], "condition_type":"NONE", "condition_value":"", "order":0 }, { "title":"Port to Service Name", "type":"LOOKUP_TABLE", "cursor_strategy":"COPY", "target_field":"PortServiceName", "source_field":"dest_port", "configuration":{ "lookup_table_name":"Service Port Translator" }, "converters":[ ], "condition_type":"NONE", "condition_value":"", "order":0 }, { "title":"Source Port Name", "type":"LOOKUP_TABLE", "cursor_strategy":"COPY", "target_field":"src_port_name", "source_field":"src_port", "configuration":{ "lookup_table_name":"Service Port Translator" }, "converters":[ ], "condition_type":"NONE", "condition_value":"", "order":0 } ] } ], "streams":[ { "id":"5a9827f4687cf8128c10d272", "title":"pfsense logs", "description":"Pfsense Logs Stream", "disabled":false, "matching_type":"AND", "stream_rules":[ { "type":"CONTAINS", "field":"source", "value":"filterlog", "inverted":false, "description":"" } ], "outputs":[ ], "default_stream":false } ], "outputs":[ ], "dashboards":[ ], "grok_patterns":[ { "name":"PFSENSE_ICMP_TSTAMP", "pattern":"%{INT:icmp_tstamp_id},%{INT:icmp_tstamp_sequence}" }, { "name":"PFSENSE_IPv4_SPECIFIC_DATA_ECN", "pattern":"(?(4)),%{BASE16NUM:tos},%{INT:ecn},%{INT:ttl},%{INT:id},%{INT:offset},%{WORD:flags},%{INT:proto_id},%{WORD:proto}," }, { "name":"PFSENSE_CARP_DATA", "pattern":"%{WORD:carp_type},%{INT:carp_ttl},%{INT:carp_vhid},%{INT:carp_version},%{INT:carp_advbase},%{INT:carp_advskew}" }, { "name":"PFSENSE_APP_ERROR", "pattern":"webConfigurator (%{DATA:pfsense_ACTION}) for \\'(%{DATA:pfsense_USER})\\' from (%{GREEDYDATA:pfsense_REMOTE_IP})" }, { "name":"PFSENSE_ICMP_UNREACHABLE", "pattern":"%{GREEDYDATA:icmp_unreachable}" }, { "name":"PFSENSE_UDP_DATA", "pattern":"%{INT:src_port},%{INT:dest_port},%{INT:data_length}" }, { "name":"PFSENSE_ICMP_ECHO_REQ_REPLY", "pattern":"%{INT:icmp_echo_id},%{INT:icmp_echo_sequence}" }, { "name":"PFSENSE_IGMP_DATA", "pattern":"datalength=%{INT:data_length}" }, { "name":"PFSENSE_TCP_DATA", "pattern":"%{INT:src_port},%{INT:dest_port},%{INT:data_length},%{WORD:tcp_flags},%{INT:sequence_number},%{INT:ack_number},%{INT:tcp_window},%{DATA:urg_data},%{GREEDYDATA:tcp_options}" }, { "name":"PFSENSE_IP_DATA", "pattern":"%{INT:length},%{IP:src_ip},%{IP:dest_ip}," }, { "name":"PFSENSE_ICMP_NEED_FLAG", "pattern":"%{IP:icmp_need_flag_ip},%{INT:icmp_need_flag_mtu}" }, { "name":"PFSENSE_APP_DATA", "pattern":"(%{PFSENSE_APP_LOGOUT}|%{PFSENSE_APP_LOGIN}|%{PFSENSE_APP_ERROR}|%{PFSENSE_APP_GEN})" }, { "name":"PFSENSE_APP_LOGOUT", "pattern":"User (%{DATA:pfsense_ACTION}) for user \\'(%{DATA:pfsense_USER})\\' from: (%{GREEDYDATA:pfsense_REMOTE_IP})" }, { "name":"PFSENSE_ICMP_DATA", "pattern":"%{PFSENSE_ICMP_TYPE}%{PFSENSE_ICMP_RESPONSE}" }, { "name":"PFSENSE_IPv4_SPECIFIC_DATA", "pattern":"(?(4)),%{BASE16NUM:tos},%{WORD:ecn}?,%{INT:ttl},%{INT:id},%{INT:offset},%{WORD:flags},%{INT:proto_id},%{WORD:proto}," }, { "name":"PFSENSE_IPv6_SPECIFIC_DATA", "pattern":"(?(6)),%{BASE16NUM:ipv6_Flag1},%{WORD:ipv6_Flag2},%{WORD:flow_label},%{WORD:options},%{INT:protocol_id},%{INT:length},%{IPV6:src_ip},%{IPV6:dest_ip},%{WORD:ipv6_HPH},%{WORD:ipv6_padn},%{WORD:ipv6_Alert},%{BASE16NUM:ipv6_Flag3}," }, { "name":"PFSENSE_ICMP_UNREACHPROTO", "pattern":"%{IP:icmp_unreach_dest_ip},%{WORD:icmp_unreachproto_protocol}" }, { "name":"PFSENSE_APP_LOGIN", "pattern":"(%{DATA:pfsense_ACTION}) for user \\'(%{DATA:pfsense_USER})\\' from: (%{GREEDYDATA:pfsense_REMOTE_IP})" }, { "name":"PFSENSE_LOG_DATA", "pattern":"%{INT:rule},%{INT:sub_rule}?,,%{INT:tracker},%{WORD:iface},%{WORD:reason},%{WORD:action},%{WORD:direction}," }, { "name":"PFSENSE_PROTOCOL_DATA", "pattern":"%{PFSENSE_TCP_DATA}|%{PFSENSE_UDP_DATA}|%{PFSENSE_ICMP_DATA}|%{PFSENSE_CARP_DATA}|%{PFSENSE_IGMP_DATA}" }, { "name":"PFSENSE_LOG_ENTRY", "pattern":"%{PFSENSE_LOG_DATA}%{PFSENSE_IP_SPECIFIC_DATA}%{PFSENSE_IP_DATA}%{PFSENSE_PROTOCOL_DATA}?" }, { "name":"PFSENSE_APP", "pattern":"(%{DATA:pfsense_APP}):" }, { "name":"PFSENSE_IP_SPECIFIC_DATA", "pattern":"%{PFSENSE_IPv4_SPECIFIC_DATA}|%{PFSENSE_IPv6_SPECIFIC_DATA}" }, { "name":"PFSENSE_APP_GEN", "pattern":"(%{GREEDYDATA:pfsense_ACTION})" }, { "name":"PFSENSE_ICMP_RESPONSE", "pattern":"%{PFSENSE_ICMP_ECHO_REQ_REPLY}|%{PFSENSE_ICMP_UNREACHPORT}| %{PFSENSE_ICMP_UNREACHPROTO}|%{PFSENSE_ICMP_UNREACHABLE}|%{PFSENSE_ICMP_NEED_FLAG}|%{PFSENSE_ICMP_TSTAMP}|%{PFSENSE_ICMP_TSTAMP_REPLY}" }, { "name":"PFSENSE_ICMP_UNREACHPORT", "pattern":"%{IP:icmp_unreachport_dest_ip},%{WORD:icmp_unreachport_protocol},%{INT:icmp_unreachport_port}" }, { "name":"PFSENSE_ICMP_TYPE", "pattern":"(?(request|reply|unreachproto|unreachport|unreach|timeexceed|paramprob|redirect|maskreply|needfrag|tstamp|tstampreply))," }, { "name":"PFSENSE_ICMP_TSTAMP_REPLY", "pattern":"%{INT:icmp_tstamp_reply_id},%{INT:icmp_tstamp_reply_sequence},%{INT:icmp_tstamp_reply_otime},%{INT:icmp_tstamp_reply_rtime},%{INT:icmp_tstamp_reply_ttime}" } ], "lookup_tables":[ { "title":"Service Port Translator", "description":"Service Port Translator to name service", "name":"Service Port Translator", "cache_name":"cache-service-port", "data_adapter_name":"cvs-port-translate", "default_single_value":"", "default_single_value_type":"NULL", "default_multi_value":"", "default_multi_value_type":"NULL" } ], "lookup_caches":[ { "title":"Cache Service Port", "description":"Cache Service Port", "name":"cache-service-port", "config":{ "type":"guava_cache", "max_size":1000, "expire_after_access":60, "expire_after_access_unit":"SECONDS", "expire_after_write":0, "expire_after_write_unit":null } } ], "lookup_data_adapters":[ { "title":"CVS Port Translate", "description":"Table CVS for translate port service to service name", "name":"cvs-port-translate", "config":{ "type":"csvfile", "path":"/etc/graylog/server/service-names-port-numbers.csv", "separator":",", "quotechar":"\"", "key_column":"Port", "value_column":"Service", "check_interval":3, "case_insensitive_lookup":false } } ] }