Hey Tom! ,
Ive been lurking for a few months and I was able to finally get a good lab environment setup with pfsense as a firewall and IDS via snort. However, I have run into a snag. I am struggling to figure out how to get the logs from snort into a SIEM with pfsense (2.4.5_1) I have tried quite a few different siem’s in hopes I could get one of them to work properly. ELK, Qradar, OSSIM, Splunk etc. In previous iterations of pfsense I was able to get logs into a few of the siems but had issues with parsing and formatting the data for the siem to interpret properly. After a 3-4 months break I have recently been able to play around with it again. Im not even able to get that far now with the latest version.
I was hoping for a general guide that just goes over getting the logs from pfsense into the siem and properly formatted. Not a deep dive or anything. Yes, there are many guides on the internet. I havent found one that works. Im willing to use whatever siem that works that is free or open source. I should mention im a security engineer in an enterprise environment. There are some very expensive toys that are able to quickly and easily do what im asking. Its almost as if none of the free methods work for a reason. Ive dumped a large amount of time into trying to one of them work. I have even played around a bit with opnsense. Same issues. I was hoping you could fill me in on what i dont seem to understand. Surely im not the only one to struggle with this. Please Help!