Hey guys,
Just wanted to share that I finally managed to get my dashboard working and reflecting my PFSense Firewall logs. Here is how I achieved it.
- Setup syslog collector on Debian VM
- Configure the Linux syslog agent
- Send syslog from firewall to Linux so that it can send it to the log-analytic securely.
- With log-analytics I was able to parse and extract unique values out of the firewall logs. In my dashboard I grabbed any IPs I blocked on which interface.
- Once I have the right queries, it was a bit difficult using a base dashboard and injecting queries. I had to clone another sentinel dashboard and then make it my own.
A lot of details I left out, but this is just an overall idea on how I achieved it.
Just wanted to mention a few challenges I had
- Making a dashboard was not as easy as I thought, guides around making a dashboard is not documented as well as I hoped. I had to really just mess around and finally just cloned another one and worked from there. Its best to download it and just modify the json file yourself. Thanks to Jon for the tip.
- It was a bit difficult getting all the syslog to go into log-analytics, but eventually it worked and I honestly don't know how I did it. The problem was specifying the right facility.
- You HAVE to know the kusto query language, you will run into challenges if you don't know more than the basics.
- Unfortunately I don't have the playbooks and other stuff turned on so I can't build automation using logic apps but hopefully it comes in the future. If you noticed the big blue peak in my WAN interface chart, that was a port scan on my firewall. Maybe some automation to identify that port scan is occurring and block that IP automatically using the playbook.
