Sending syslog from pfsense without agent

[anitatata]

Version

2.4.30

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

cloud

Hardware Specs

Meets minimum requirements

CPU

8

RAM

20

Storage for /

100

Storage for /nsm

500

Network Traffic Collection

tap

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hello, I just installed security onion version 2.4.30.
Everything working fine, I already added some elastic agent (in linux based VM). All log is send and we can see it in security onion.
But there is one problem with pfsense, so I just follow this step
https://docs.securityonion.net/en/2.4/pfsense.html#
I try with the simple parser, but the log from pfsense is not coming to security onion.

I try to check the syslog from security onion, but there is no log from the pfsense

And also I try to check syslog in elastic, still no log

Please kindly help, if there is miss configuration.
Thanks before

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

Did you allow the IP in the Firewall?

[anitatata]

Yes, I already allow the ip in the Firewall

[TotieBash]

#12055 check the fix. I use the Elastic integrations https://docs.securityonion.net/en/2.4/pfsense.html#elastic-integration-for-pfsense

Run the following commands below from the SO Standalone. Send us the screenshots results.
ss -tulpn | grep 9001
iptables --list -n | grep 9001

[anitatata]

Thanks for the answer.

I try to follow the instruction

• add integration
  

But I did not understand, this statement

Is it means like this?

For the kibana dashboard, I don't see log from pfsense integration

Please kindly help.
Thanks before

[TotieBash]

We're close... The Elastic Integration looks good...

So it is the firewall that is the issue. So since we are both using SO Standalone your firewall path should be:

Firewall > role > standalone > chain > INPUT > hostgroups > customhostgroup0 > portgroups

It should look like this

click "SYNCHRONIZE GRID" to force salt apply the changes. This might take 2-3minutes to run in the background

then issue "iptables --list -n | grep 9001" and "iptables --list -n | more" it should look like below. Mine is using port 9002

[anitatata]

Thanksss, finally my pfsense can connect and send the log.
In my pfsense, I change the log message format

Thank you so much

[anitatata]

Anyway, If I have a switch device, what integrations can I use?

[TotieBash]

What kind of switch? if it is Cisco IOS then its in the latest 2.4.40 patch..