pfSense, Squid, and Splunk free

March 14, 2014

pfSense and Squid

I am continuously impressed with the amount and quality of free software that is available on the internet. pfSense is an open source firewall based on FreeBSD with a web based interface and easy to add packages. It has most standard firewall features, but also includes advanced features such as VPN, captive portal, and proxy filter. For this post I used version 2.1-RELEASE. After installing pfSense and configuring it for my network, I wanted to setup a way to analyze the firewall block logs and the proxy access traffic.

pfsense squid and splunk

To do this I first setup Squid. Squid is a proxy for caching web content. I am using the 2.7.9 pkg v.4.3.3 version for this post. For steps to configure squid in pfSense follow this guide. https://doc.pfsense.org/index.php/Setup_Squid_as_a_Transparent_Proxy. Once Squid is setup, it needs to be configured to forward its logs to Splunk. If you try to modify squid via the command line, any updates will overwrite your changes. To avoid this, add in the custom changes to the Custom Options text box within the squid package in pfSense.

pfsense and squid

Add this line to view the access log in Splunk.

access_log syslog:local7.info;

This will forward the access_log to syslog local7. I choose local7 because pfSense was already using this syslog for the DHCP log. By using local7, the squid access logs are mixed in with the DHCP logs, but this doesn’t matter because Splunk can filter the two. To forward the logs to Splunk, configure the remote logging options in pfSense.

pfsense syslog edit

Be sure to enable remote logging and input the IP of the remote Splunk server. pfSense will be sending the syslog via UDP over port 514. Be sure to allow that port through the firewall on the Splunk server. You have to check the box next to DHCP service events to forward the Squid access logs. I also like to see the Firewall events in Splunk so I checked it as well.

Splunk free

Let’s verify that we are seeing UDP traffic on port 514 from the Splunk server. I have already installed Splunk on Ubuntu 12.04 server edition. To test the UDP traffic run this command.

sudo tcpdump -i eth0 udp port 514

This will start tcpdump on interface eth0 and filter for UDP port 514 traffic. If you see information on the screen, then the syslog forward is working. Now let’s configure Splunk.

For this post I am using Splunk free version 6.0. Because I have already setup a data input over UDP these instructions may be different than an initial setup. Click on Settings -> Data inputs, then Add Data.  Choose Syslog as the data type. Click on Next under the Consume syslog over UDP. Fill out the text field for UDP port with 514 and the source name override as pfSense. Finally, click Save. Give Splunk a minute to begin collecting data then go to the Search and Reporting App to see if you have any events indexed. If you are not seeing any events you can leave a comment below for help troubleshooting the issue. If you can see events then you are ready to further configure Splunk!

 

Leave a Reply