Hi, Atm we use splunk to monitor our pfsense boxes. It would be very nice if we could do that with vcenter log insight. But the problem is this: pfsense send out the following: Se...
See more...
Hi, Atm we use splunk to monitor our pfsense boxes. It would be very nice if we could do that with vcenter log insight. But the problem is this: pfsense send out the following: Sep 9 15:26:46 pf: 192.168.99.8.64592 > 80.239.205.210.80: Flags [S], cksum 0x263b (correct), seq 3949330011, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 Sep 9 15:26:46 pf: 00:00:03.010545 rule 1/0(match): block in on em1: (tos 0x0, ttl 128, id 2486, offset 0, flags [DF], proto TCP (6), length 52) vcenter log insight shows: 2013-09-09 15:26:46.621 Sep 9 15:26:46 pf: 192.168.99.8.64592 > 80.239.205.210.80: Flags [S], cksum 0x263b (correct), seq 3949330011, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 priority facility source hostname appname 2013-09-09 15:26:46.621 Sep 9 15:26:46 pf: 00:00:03.010545 rule 1/0(match): block in on em1: (tos 0x0, ttl 128, id 2486, offset 0, flags [DF], proto TCP (6), length 52) priority facility source hostname appname But splunk shows a much nicer 9/9/13 3:26:44.000 PM Sep 9 15:26:44 193.186.36.81 Sep 9 15:26:46 pf: 00:00:03.010545 rule 1/0(match): block in on em1: (tos 0x0, ttl 128, id 2486, offset 0, flags [DF], proto TCP (6), length 52)Sep 9 15:26:44 193.186.36.81 Sep 9 15:26:46 pf: 192.168.99.8.64592 > 80.239.205.210.80: Flags [S], cksum 0x263b (correct), seq 3949330011, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0host=193.186.36.81 Options| sourcetype=pfsense-firewall Options| source=udp:514 Options| dest_ip=80.239.205.210 Options| dest_port=80 Options Now the problem is that if i search for example on 80.239.205.210 it will only show: 2013-09-09 15:26:46.621 Sep 9 15:26:46 pf: 192.168.99.8.64592 > 80.239.205.210.80: Flags [S], cksum 0x263b (correct), seq 3949330011, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 priority facility source hostname appname is there a way to change that..??? Thanks! Regards Hans