Configuring Netgate pfSense to Communicate with JSA
To send syslog messages to JSA, the Netgate pfSense remote logging options must be configured to specify a remote log server.
If you want to send Snort IDS events to JSA, ensure that the Snort package for Netgate pfSense is installed and configured. Snort is an open source network intrusion detection and prevention system.
- Log in to Netgate pfSense device.
- Configure remote logging options for Netgate pfSense.
Select Status > System Logs.
Click the Settings tab and then go to the Remote Logging Options section.
Select a Source Address, or use the default.
Select an IP Protocol or use the default.
In the Remote log servers options section, enable System Events, Firewall Events, DNS Events, and DHCP Events.
If the System Events logging option is enabled, Unknown or Stored events might occur because extra services that are installed by packages for Netgate pfSense can output log messages to the system log. Due to the large number of packages available for Netgate pfSense, the DSM was developed to support the base installation of the device. The DSM Editor can be used in this case to create custom parsing for any Unknown or Stored events that result from user installed packages. For more information about the DSM Editor, see the Juniper Secure Analytics Administration Guide.
If DHCP events are enabled, you must create a Linux DHCP log source in JSA to normalize the DHCP events. The Linux DHCP log source must be placed after Netgate pfSense log source in the parsing order.
- Optional: Configure the Snort service to output logs to
the Netgate pfSense system log.
Select Service > Snort.
On the Snort Interface tab, click Edit this Snort interface mapping (pencil icon).
In the Alert Settings section, enable Send Alerts to System Log.
On the Snort Interface tab, click Restart Snort on this interface.