Sending pfSense logs to QRadar

QRadar Community Edition offers a great way to better understand the product.  I have decided to install QRadar CE on a VM at home to give it a try.  Now, I do not run any of the big firewalls that they support but I do run pfSense, which I believe is one of the best solutions for the home network.

After doing a couple of searches on the Internet, I found that there is no DSM for pfSense logs available for QRadar.  I had decided to give a try on my own custom DSM to parse these logs.  After some time and effort, I have been able to properly parse the following logs from pfSense in QRadar:

  • Firewall Logs
  • DHCP Events
  • DNS Queries

I have also been able to run Snort and softflowd (Netflow) on pfSense and send the IDS logs and flow information to QRadar.

In this article, we will be showing how to send the pfSense Firewall Logs into QRadar and use the custom log source extension I am providing to help parse the logs correctly.  Note that this is a work in progress and there are events that are not correctly parsed, or not parsed at all.  Also,  the regular expressions that I am using may not be the most efficient, but at least they will get the job done.  Any recommendations on improving them will be appreciated in the comments.  This LSE works for pfSense 2.2 and above.

You can download the XML file here.

Creating the Custom Log Source Extension in QRadar:

The following steps go through the process of creating a log source extension for QRadar and uploading the XML file. Continue reading “Sending pfSense logs to QRadar”