This is a set of extractors for use within Graylog, to parse the output of Pfsense filter logs.
- Select Log Message Format to "syslog (RFC 5424, with RFC 3339 microsecond-precision timestamps)"
- Set Remote log servers
- check Remote Syslog Content
- Set store_full_message: true
- Open the Graylog administrative interface
- Open the "System/Inputs" menu
- Select "Inputs"
- Select "Manage Extractors" for the input that receives Pfsense logs
- Select "Actions" menu
- Select "Import extractors"
- Paste the contents of extractors.json into the text box
- Select the button "Add extractors to input"
- Open your Graylog search
- Search for
application_name:filterlog
- The search results should now be showing all TCP/UDP/ICMP data as separate fields
- Set order Message Processors Configuration in menu System/Configuraiton
n : Message Filter Chain
n+1 : GeoIP Resolver
Thank you for this repository https://github.com/facyber/pfSense-Graylog-Extractor.git but I had to adapt to work :?