Pfsense - arpwatch with graylog

First for me but I have nothing to complain about hence this being in the uncategorized.

Pfsense saved my butt today and really just got to sing the praise of both pfsense and graylog. I have setup arpwatch on 2x of my DMZ vlans. Ive also set up my pfsense cluster to shoot me over some emails for the arpwatch package. Around 2pm I started getting a flood of arpwatch messages indicating a flipping mac address. Confused I hopped into my GrayLog instance and saw DHCP DECLINE messages coming up. I noticed the mac and immediately went to a coworker to see what was the maintenance. Sure enough there was some IP conflicts going on and this caused a very brief outage.
Its the little things that make me appreciate pfsense and my deployments. For those who see this, highly recommend this package but only enable it on a vlan that doesn’t have clients coming and going frequently.

For the graylog instance, all its doing is just ingesting syslog. Nothing fancy. Free and it works amazingly well. Highly recommended.