Pfsense Decoders
<!-- PFSENSE -->
<decoder name="pfsense">
<prematch>^\d\s\w\w\w\w-\d\d-\d\dT\d\d:\d\d:\d\d.\d\d\d\d\d\d\p\d\d:\d\d</prematch>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>(\w+.\w+.\w+)</regex>
<order>hostname</order>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>(\w+)\s(\d+) - -</regex>
<order>log_type,log_id</order>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>(\w+),\d+,(\d+.\d+.\d+.\d+),(\d+.\d+.\d+.\d+),(\d+),(\d+),\d+,(\w+)</regex>
<order>protocol,src_ip,dst_ip,src_port,dst_port,request_type</order>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>match,(\w+),(\w+),</regex>
<order>action,direction</order>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>\p\p\p(\d+),(\w+),match,</regex>
<order>session_id,interface</order>
</decoder><!-- PFSENSE -->
<decoder name="pfsense">
<prematch>^\d\s\w\w\w\w-\d\d-\d\dT\d\d:\d\d:\d\d.\d\d\d\d\d\d\p\d\d:\d\d</prematch>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>(\w+.\w+.\w+)</regex>
<order>hostname</order>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>(\w+)\s(\d+) - -</regex>
<order>log_type,log_id</order>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>(\w+),\d+,(\d+.\d+.\d+.\d+),(\d+.\d+.\d+.\d+),(\d+),(\d+),\d+,(\w+)</regex>
<order>protocol,src_ip,dst_ip,src_port,dst_port,request_type</order>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>match,(\w+),(\w+),</regex>
<order>action,direction</order>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>\p\p\p(\d+),(\w+),match,</regex>
<order>session_id,interface</order>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>^\d\s(\w\w\w\w-\d\d-\d\dT\d\d:\d\d:\d\d.\d\d\d\d\d\d\p\d\d:\d\d)\s</regex>
<order>timestamp</order>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>,(\w+),\d+,(\d+.\d+.\d+.\d+),(\d+.\d+.\d+.\d+),(\d+),(\d+),\d+</regex>
<order>protocol,src_ip,dst_ip,src_port,dst_port</order>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>Attack from "(\d+.\d+.\d+.\d+)" on service (\w+) with danger (\d+)</regex>
<order>attacker_ip,service,severity_level</order>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>Blocking "(\d+.\d+.\d+.\d+/\d+)" for (\d+ \w+) (\.+)</regex>
<order>attacker_ip,block_time,block_reason</order>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>Connection closed by (\d+.\d+.\d+.\d+) port (\d+) (\.+)</regex>
<order>ip_addr,port,auth_type</order>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>Failed password for (\.+) from (\d+.\d+.\d+.\d+) port (\d+) (\.+)</regex>
<order>user,src_ip,port,service</order>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>Received disconnect from (\d+.\d+.\d+.\d+) port (\d+):(\d+): (\.+)</regex>
<order>ip_addr,port,disconnect_code,disconnect_msg</order>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>Invalid user from (\d+.\d+.\d+.\d+) port (\d+)</regex>
<order>ip_addr,port</order>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>(\d+.\d+.\d+.\d+): (\w+) after (\.+)</regex>
<order>ip_addr,type,unblock_time</order>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>- - (\.+): userauth_finish: </regex>
<order>status,ip_addr,auth_type</order>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>- - (\.+): Timeout before authentication for (\d+.\d+.\d+.\d+) port (\d+)</regex>
<order>status,ip_addr,auth_type</order>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>- - (\w+) from authenticating user (\.+) (\d+.\d+.\d+.\d+) port (\d+) (\.+)</regex>
<order>status,user,ip_addr,auth_type</order>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>/index.php: webConfigurator authentication error for user '(\.+)' from: (\d+.\d+.\d+.\d+)</regex>
<order>user,ip_addr</order>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>Connection closed by authenticating user (\w+) (\d+.\d+.\d+.\d+) port (\d+) (\.+)</regex>
<order>user,ip_addr,port,auth_type</order>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>- - (\.+): signature algorithm (\.+) not in PubkeyAcceptedAlgorithms (\.+)</regex>
<order>auth_type_fun,algo,auth_type</order>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>^\d\s(\w\w\w\w-\d\d-\d\dT\d\d:\d\d:\d\d.\d\d\d\d\d\d\p\d\d:\d\d)\s</regex>
<order>timestamp</order>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>,(\w+),\d+,(\d+.\d+.\d+.\d+),(\d+.\d+.\d+.\d+),(\d+),(\d+),\d+</regex>
<order>protocol,src_ip,dst_ip,src_port,dst_port</order>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>Attack from "(\d+.\d+.\d+.\d+)" on service (\w+) with danger (\d+)</regex>
<order>attacker_ip,service,severity_level</order>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>Blocking "(\d+.\d+.\d+.\d+/\d+)" for (\d+ \w+) (\.+)</regex>
<order>attacker_ip,block_time,block_reason</order>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>Connection closed by (\d+.\d+.\d+.\d+) port (\d+) (\.+)</regex>
<order>ip_addr,port,auth_type</order>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>Failed password for (\.+) from (\d+.\d+.\d+.\d+) port (\d+) (\.+)</regex>
<order>user,src_ip,port,service</order>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>Received disconnect from (\d+.\d+.\d+.\d+) port (\d+):(\d+): (\.+)</regex>
<order>ip_addr,port,disconnect_code,disconnect_msg</order>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>Invalid user from (\d+.\d+.\d+.\d+) port (\d+)</regex>
<order>ip_addr,port</order>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>(\d+.\d+.\d+.\d+): (\w+) after (\.+)</regex>
<order>ip_addr,type,unblock_time</order>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>- - (\.+): userauth_finish: </regex>
<order>status,ip_addr,auth_type</order>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>- - (\.+): Timeout before authentication for (\d+.\d+.\d+.\d+) port (\d+)</regex>
<order>status,ip_addr,auth_type</order>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>- - (\w+) from authenticating user (\.+) (\d+.\d+.\d+.\d+) port (\d+) (\.+)</regex>
<order>status,user,ip_addr,auth_type</order>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>/index.php: webConfigurator authentication error for user '(\.+)' from: (\d+.\d+.\d+.\d+)</regex>
<order>user,ip_addr</order>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>Connection closed by authenticating user (\w+) (\d+.\d+.\d+.\d+) port (\d+) (\.+)</regex>
<order>user,ip_addr,port,auth_type</order>
</decoder>
<decoder name="pfsense">
<parent>pfsense</parent>
<regex>- - (\.+): signature algorithm (\.+) not in PubkeyAcceptedAlgorithms (\.+)</regex>
<order>auth_type_fun,algo,auth_type</order>
</decoder>Last updated