Announcement

Collapse
No announcement yet.

Using UltraLog3 HSPI Syslog with pfSense Firewall 2.3

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Using UltraLog3 HSPI Syslog with pfSense Firewall 2.3

    I have UltraLog3 HSPI configured to accept pfSense syslog output. To do this, I simply set the following options from pfSense > Status > System Logs > Settings > Remote Logging Options:

    Source Address = Default (any)
    IP Protocol = IPv4
    Enable Remote Logging = Send log messages to remote syslog server
    Remote Syslog Servers, Server 1 = IP address of HomeSeer server
    Remote Syslog Contents = System Events, Firewall Events, Portal Auth events, VPN events, Gateway Monitor events, Server Log Balancer events, Wireless events,

    Then click Save.

    If you're already using pfSense, then you already have rules created for your HomeSeer system or network cameras, etc. Creation of those rules are outside the scope of this posting.

    Now, edit your firewall rule that allows connections to your HomeSeer system (or network cameras, HSTouch, etc) and ensure you have Edit Firewall rule > Log > Log packets that are handled by this rule enabled.

    Then from HomeSeer > PLUG-INS > UltraLog3 > UltraLog3 > Options > Syslog Options > Enable Syslog On Startup = Yes. All other fields are default.

    Then from View > Device Management, find the UltraLog3 Syslog device, then from the Control drop-down, select Enable.

    At this point, pfSense should be logging to PLUG-INS > UltraLog3 > UltraLog3 > Syslog. Now you can write HomeSeer events to send you an e-mail whenever someone access your HomeSeer system from outside your network.

    This is the raw syslog data sent from pfSense:

    PHP Code:
    89,16777216,,1419957650,re0,match,pass,in,4,0x0,,53,56617,0,none,6,tcp,60,xxx.xxx.xxx.xxx,192.168.x.x,60643,443,0,S,665090130,,65535,,mss;sackOK;TS;wscale;eol 
    To pull the source IP address out, the regular expression would be:

    PHP Code:
    pass,in,.+,(?'ipaddress'\d+\.\d+\.\d+\.\d+),\d+\.\d+\.\d+\.\d+,\d+,443
    or to trigger on multiple ports like 80,443,10200

    PHP Code:
    pass,in,.+,(?'ipaddress'\d+\.\d+\.\d+\.\d+),\d+\.\d+\.\d+\.\d+,\d+,(80|443|10200), 
    This regular expression updates a global variable called "ipaddress". You could then create an e-mail action with the body as follows:

    Your HomeSeer has been accessed from $$GLOBALVAR:ipaddress:

    Now, whenever someone access your HomeSeer system, you'll get an e-mail that includes the IP address of the remote system.

    Regards,
    Ultrajones
    Plug-ins: UltraMon, UltraM1G, UltraCID, Ultra1Wire, UltraLog, UltraWeatherBug, UltraPioneerAVR, UltraGCIR
Working...
X