Home

PFSense logs showing up very nicely in Azure Sentinel dashboard

%3CLINGO-SUB%20id%3D%22lingo-sub-363005%22%20slang%3D%22en-US%22%3EPFSense%20logs%20showing%20up%20very%20nicely%20in%20Azure%20Sentinel%20dashboard%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-363005%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20guys%2C%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EJust%20wanted%20to%20share%20that%20I%20finally%20managed%20to%20get%20my%20dashboard%20working%20and%20reflecting%20my%20PFSense%20Firewall%20logs.%20Here%20is%20how%20I%20achieved%20it.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3ESetup%20syslog%20collector%20on%20Debian%20VM%3C%2FLI%3E%0A%3CLI%3EConfigure%20the%20Linux%20syslog%20agent%3C%2FLI%3E%0A%3CLI%3ESend%20syslog%20from%20firewall%20to%20Linux%20so%20that%20it%20can%20send%20it%20to%20the%20log-analytic%20securely.%3C%2FLI%3E%0A%3CLI%3EWith%20log-analytics%20I%20was%20able%20to%20parse%20and%20extract%20unique%20values%20out%20of%20the%20firewall%20logs.%20In%20my%20dashboard%20I%20grabbed%20any%20IPs%20I%20blocked%20on%20which%20interface.%3C%2FLI%3E%0A%3CLI%3EOnce%20I%20have%20the%20right%20queries%2C%20it%20was%20a%20bit%20difficult%20using%20a%20base%20dashboard%20and%20injecting%20queries.%20I%20had%20to%20clone%20another%20sentinel%20dashboard%20and%20then%20make%20it%20my%20own.%26nbsp%3B%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EA%20lot%20of%20details%20I%20left%20out%2C%20but%20this%20is%20just%20an%20overall%20idea%20on%20how%20I%20achieved%20it.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F86121iCF7AFF8329CDC08A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22MicrosoftTeams-image%20(1).png%22%20title%3D%22MicrosoftTeams-image%20(1).png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EJust%20wanted%20to%20mention%20a%20few%20challenges%20I%20had%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EMaking%20a%20dashboard%20was%20not%20as%20easy%20as%20I%20thought%2C%20guides%20around%20making%20a%20dashboard%20is%20not%20documented%20as%20well%20as%20I%20hoped.%20I%20had%20to%20really%20just%20mess%20around%20and%20finally%20just%20cloned%20another%20one%20and%20worked%20from%20there.%20Its%20best%20to%20download%20it%20and%20just%20modify%20the%20json%20file%20yourself.%20Thanks%20to%20Jon%20for%20the%20tip.%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3EIt%20was%20a%20bit%20difficult%20getting%20all%20the%20syslog%20to%20go%20into%20log-analytics%2C%20but%20eventually%20it%20worked%20and%20I%20honestly%20don't%20know%20how%20I%20did%20it.%20The%20problem%20was%20specifying%20the%20right%20facility.%3C%2FLI%3E%0A%3CLI%3EYou%20HAVE%20to%20know%20the%20kusto%20query%20language%2C%20you%20will%20run%20into%20challenges%20if%20you%20don't%20know%20more%20than%20the%20basics.%3C%2FLI%3E%0A%3CLI%3EUnfortunately%20I%20don't%20have%20the%20playbooks%20and%20other%20stuff%20turned%20on%20so%20I%20can't%20build%20automation%20using%20logic%20apps%20but%20hopefully%20it%20comes%20in%20the%20future.%20%3CSTRONG%3EIf%20you%20noticed%20the%20big%20blue%20peak%20in%20my%20WAN%20interface%20chart%2C%20that%20was%20a%20port%20scan%20on%20my%20firewall%3C%2FSTRONG%3E.%20Maybe%20some%20automation%20to%20identify%20that%20port%20scan%20is%20occurring%20and%20block%20that%20IP%20automatically%20using%20the%20playbook.%26nbsp%3B%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-368279%22%20slang%3D%22en-US%22%3ERe%3A%20PFSense%20logs%20showing%20up%20very%20nicely%20in%20Azure%20Sentinel%20dashboard%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-368279%22%20slang%3D%22en-US%22%3E%3CP%3EJing%2C%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThank%20you%20for%20the%20detailed%20feedback.%20This%20is%20very%20helpful%20information%20for%20us%20to%20make%20the%20product%20better.%20CC%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F187254%22%20target%3D%22_blank%22%3E%40Koby%20Koren%3C%2FA%3E%20and%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F16203%22%20target%3D%22_blank%22%3E%40Shalini%20Pasupneti%3C%2FA%3E%20so%20they%20can%20note%20the%20feedback%20and%20respond%20as%20necessary.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Jing Nghik
Microsoft

Hey guys, 

 

Just wanted to share that I finally managed to get my dashboard working and reflecting my PFSense Firewall logs. Here is how I achieved it.

  1. Setup syslog collector on Debian VM
  2. Configure the Linux syslog agent
  3. Send syslog from firewall to Linux so that it can send it to the log-analytic securely.
  4. With log-analytics I was able to parse and extract unique values out of the firewall logs. In my dashboard I grabbed any IPs I blocked on which interface.
  5. Once I have the right queries, it was a bit difficult using a base dashboard and injecting queries. I had to clone another sentinel dashboard and then make it my own. 

A lot of details I left out, but this is just an overall idea on how I achieved it. 

 

MicrosoftTeams-image (1).png

 

Just wanted to mention a few challenges I had

  • Making a dashboard was not as easy as I thought, guides around making a dashboard is not documented as well as I hoped. I had to really just mess around and finally just cloned another one and worked from there. Its best to download it and just modify the json file yourself. Thanks to Jon for the tip. 
  • It was a bit difficult getting all the syslog to go into log-analytics, but eventually it worked and I honestly don't know how I did it. The problem was specifying the right facility.
  • You HAVE to know the kusto query language, you will run into challenges if you don't know more than the basics.
  • Unfortunately I don't have the playbooks and other stuff turned on so I can't build automation using logic apps but hopefully it comes in the future. If you noticed the big blue peak in my WAN interface chart, that was a port scan on my firewall. Maybe some automation to identify that port scan is occurring and block that IP automatically using the playbook. 
1 Reply

Jing, 

 

Thank you for the detailed feedback. This is very helpful information for us to make the product better. CC: @Koby Koren and @Shalini Pasupneti so they can note the feedback and respond as necessary. 

 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies