Been googling around and this eludes me, is there any way to spit out a table of pfsense’s Tracking IDs and their respective firewall description?
Syslog output has the Tracking IDs in the log, I want to make a lookup table that then lets me spit out the rule description so its easier to make sense what rule was used in the log.
Per their documentation there is a table in
/tmp/rules.debug
https://docs.netgate.com/pfsense/en/latest/monitoring/logs/raw-filter-format.html
But I am not sure you can push that data out into syslog.
Thanks Tom. If I were a regit/grep guru I could probably figure out a way to spit out a nice table of tracker_ID and plain name, but at least this format (or just looking at the backup config XML) is much easier than using the WebUI to edit each rule to note down the tracker and plain name.
Not trying to output via syslog, but instead make a lookup table at the SIEM to add the value to the syslog that is ingested. Some of the work done so far:
Second pic showing that though this is info from the syslog output to the SIEM, I can now add to the output table the Description by relating it to the tracker_id:
The SPL:
Neat.
Thanks again Tom! Keep up those videos, love the channel!
