Help Request. Pfsense IDS/IPS to SIEM

Hey Tom! ,

Ive been lurking for a few months and I was able to finally get a good lab environment setup with pfsense as a firewall and IDS via snort. However, I have run into a snag. I am struggling to figure out how to get the logs from snort into a SIEM with pfsense (2.4.5_1) I have tried quite a few different siem’s in hopes I could get one of them to work properly. ELK, Qradar, OSSIM, Splunk etc. In previous iterations of pfsense I was able to get logs into a few of the siems but had issues with parsing and formatting the data for the siem to interpret properly. After a 3-4 months break I have recently been able to play around with it again. Im not even able to get that far now with the latest version.

I was hoping for a general guide that just goes over getting the logs from pfsense into the siem and properly formatted. Not a deep dive or anything. Yes, there are many guides on the internet. I havent found one that works. Im willing to use whatever siem that works that is free or open source. I should mention im a security engineer in an enterprise environment. There are some very expensive toys that are able to quickly and easily do what im asking. Its almost as if none of the free methods work for a reason. Ive dumped a large amount of time into trying to one of them work. I have even played around a bit with opnsense. Same issues. I was hoping you could fill me in on what i dont seem to understand. Surely im not the only one to struggle with this. Please Help!

I have been working on a video for how to do this with Security Onion (which is what we use) but I don’t have it done just yet. I have only tested and have it working Suricata but here are some of the basics though for getting it setup using Suircata or Snort

You are awesome! Thanks Tom! Ill be sure to keep an eye out for the video!

Yeah, this video will be interesting for me too!