pfSense "rule.action" no longer parsing? #12318
-
|
Since I've upgraded to 2.4.40 from 2.4.30 I've noticed that "rule.action" is no longer being parsed from my pfSense logs. Unless something has changed in the upgrade, I'm not really sure where to look for troubleshooting. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
Starting in 2.4.40, the For more information about this change, please see: If you haven't already, you might want to consider switching to the more comprehensive pfSense integration as it will parse more log types: We just released a video about this yesterday: |
Beta Was this translation helpful? Give feedback.
-
|
Perfect, thank you! Is there any chance you could paste the default query for the 2.4.40 firewall dashboard? I made the mistake of editing it for the old ingest. |
Beta Was this translation helpful? Give feedback.
-
|
Please see the second link in my last reply above. |
Beta Was this translation helpful? Give feedback.
Starting in 2.4.40, the
rule.actionfield is nowevent.actionto align with the Elastic integration for pfSense. If you're in SOC Dashboards and you use our defaultFirewalldashboard, it should have been updated to reflect this change:For more information about this change, please see:
https://docs.securityonion.net/en/2.4/release-notes.html
#12021
6a1073b
If you haven't already, you might want to consider switching to the more comprehensive pfSense integration as it will parse more log types:
https://docs.securityonion.net/en/2.4/pfsense.html#elastic-integration-for-pfsense
We just released a video about this yesterday:
https://www.youtube.com/watch?v=aoH8qZwAxek