securityonion/salt/logstash/files/conf.d/6201_firewall_pfsense.conf

# Author: Wes Lambert
# Last Update: 11/06/2017


filter {
  if [type] == "filterlog" {
    grok {
      match => ["message", "(%{NONNEGINT:rule_number})?\,(%{NONNEGINT:sub_rule_number})?\,(%{DATA:anchor})?\,(%{NONNEGINT:tracker_id})?\,%{DATA:interface}\,%{DATA:reason}\,%{DATA:action}\,%{DATA:direction}\,%{NONNEGINT:ip_version},%{GREEDYDATA:sub_msg}"]
    }
    if [ip_version] =~ "4" {
      csv {
        source => [sub_msg]
	columns => ["ipv4_tos","ipv4_ecn","ipv4_ttl","ipv4_id","ipv4_offset", "ipv4_flags","ipv4_protocol_id","ipv4_protocol","ipv4_protocol_length","source_ip","destination_ip","source_port","destination_port","data_length","tcp_flags","sequence_number","ack","window","urg","options"]
      	separator => ","
      }
    }
    if [ip_version] =~ "6" {
      csv {
        source => [sub_msg]
	columns => ["class","flow_label","hop_limit","protocol","protocol_id","length","source_ip","destination_ip","source_port","destination_port","data_length"]
        separator => ","
      }
    }
    mutate {
      convert => [ "destination_port", "integer" ]
      convert => [ "source_port", "integer" ]    
      convert => [ "ip_version", "integer" ]
      replace => { "type" => "firewall" }
      add_tag=>  [ "pfsense","firewall" ]
      remove_field => [ "sub_msg" ]
    }
  }
}