{ attributes: { "dataSource.vendor": "pfSense", "dataSource.name": "pfSense", "dataSource.category": "security" }, patterns: { tsPattern: "\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\+\\d{2}:\\d{2}", ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+", ipv6: "[a-fA-F0-9:]+", ipv46: "(\\d+\\.\\d+\\.\\d+\\.\\d+|[a-zA-Z0-9:]+)", ipv: "(4|6)", hex: "([a-f0-9]+x[a-f0-9]+){0,1}", tcpflags: "[SA\\.FRPUEW]+", numberOrNone: "[0-9]{0,}", textOrNone: "[a-zA-Z-\\.0-9]{0,}" }, formats: [ { // Base filterlog header format: "$timestamp=tsPattern$ $hostname=ipv46$ filterlog: " + "$pfRule=numberOrNone$,$pfSubRule=numberOrNone$," + "$pfAnchor=textOrNone$,$pfTracker=numberOrNone$," + "$pfInterface$,$pfReason=identifier$," + "$pfAction=identifier$,$pfDirection=identifier$,.*" }, { // IPv4 header-specific fields attributes: { pfIpv: 4 }, format: "\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\+\\d{2}:\\d{2} " + "(\\d+\\.\\d+\\.\\d+\\.\\d+|[a-zA-Z0-9:]+) filterlog: " + "([a-zA-Z0-9-\\.]+,|,){8}4," + "$pfTos=hex$,$pfEcn$,$pfTtl=numberOrNone$," + "$pfPacketId=numberOrNone$,$pfOffset=numberOrNone$," + "$pfIPFlags=identifier$,$pfProtocolID$,$msg$" }, { // TCP flow attributes: { pfProtocol: "tcp" }, format: "\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\+\\d{2}:\\d{2} " + "(\\d+\\.\\d+\\.\\d+\\.\\d+|[a-zA-Z0-9:]+) filterlog: " + "([a-zA-Z0-9-\\.]+,|,){16}tcp," + "$pfPacketLen=number$,$pfSourceIP=ipv4$,$pfDestIP=ipv4$," + "$pfSourcePort=number$,$pfDestPort=number$," + "$pfDataLen=number$,$pfTCPFlags=tcpflags$," + "$pfSeq=numberOrNone$,$pfAck=numberOrNone$," + "$pfWindow=numberOrNone$,$pfUrg=textOrNone$,$pfTcpOptions$", halt: true }, { // UDP flow attributes: { pfProtocol: "udp" }, format: "\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\+\\d{2}:\\d{2} " + "(\\d+\\.\\d+\\.\\d+\\.\\d+|[a-zA-Z0-9:]+) filterlog: " + "([a-zA-Z0-9-\\.]+,|,){16}udp," + "$pfPacketLen=number$,$pfSourceIP=ipv4$,$pfDestIP=ipv4$," + "$pfSourcePort=number$,$pfDestPort=number$,$pfDataLen=number$", halt: true } ] }