PFSense Snort Logstash

I have been working on getting some detailed logging from Snort logs generated through PFSense and thought I would share them. This can also be modified to work with a Snort setup not running on PFSense as well. Can also modify for Suricata if needed.

In order to send your Snort logs you will need an instance of logstash running on your Snort node with the following added to your logstash.conf file. Modify to suit your specific log location.

input {
  file {
    path => "/var/log/snort/alert"
    type => "snort"
    sincedb_path => "/var/log/.snortsincedb"
  }
} 

Here are some sample Kibana dashboards.

Screen Shot 2014-10-27 at 10.17.10 AM

Screen Shot 2014-10-27 at 10.17.36 AM

Enjoy!

6 thoughts on “PFSense Snort Logstash

  1. I recently installed logstash in a snort machine following the above advice but there is no logstash.conf.!!!
    Also the below filter wher it should be added.??

    Best regards

Leave a Reply

Your email address will not be published. Required fields are marked *

*