Configuring Netgate pfSense to communicate with QRadar

To send syslog messages to IBM QRadar, the Netgate pfSense remote logging options must be configured to specify a remote log server.

Before you begin

If you want to send Snort IDS events to QRadar, ensure that the Snort package for Netgate pfSense is installed and configured. Snort is an open source network intrusion detection and prevention system.

Procedure

  1. Log in to your Netgate pfSense device.
  2. Configure remote logging options for Netgate pfSense.
    1. Select Status > System Logs.
    2. Click the Settings tab and then go to the Remote Logging Options section.
    3. Select a Source Address, or use the default.
    4. Select an IP Protocol or use the default.
    5. In the Remote log servers options section, enable System Events, Firewall Events, DNS Events, and DHCP Events.
    Important: If the System Events logging option is enabled, Unknown or Stored events might occur because extra services that are installed by packages for Netgate pfSense can output log messages to the system log. Due to the large number of packages available for Netgate pfSense, the DSM was developed to support the base installation of the device. The DSM Editor can be used in this case to create custom parsing for any Unknown or Stored events that result from user installed packages. For more information about the DSM Editor, see the IBM QRadar Administration Guide.
    Important: If DHCP events are enabled, you must create a Linux® DHCP log source in QRadar® to normalize the DHCP events. The Linux DHCP log source must be placed after Netgate pfSense log source in the parsing order. For more information, see Syslog log source parameters for Linux DHCP and Adding a log source parsing order.
    Important: If you send Snort or Suricata events to QRadar and the log source is not automatically detected, add a Snort log source on the QRadar Console For more information, see Syslog log source parameters for Open Source SNORT.
    Important: For DNS logs to be properly send to QRadar, complete the following steps. These steps apply only for the Unbound DNS Resolver, the default DNS service configured on Netgate pfSense. If you’re running BIND instead of Unbound, these steps do not apply.
    1. Go to Services > DNS Resolver.
    2. On the General Settings tab, scroll down to Custom Options.
    3. Add the following lines in custom options.
      server:
           log-replies:yes
    4. Click Save.
    5. To confirm that Netgate pfSense is generating DNS logs, go to Status > System logs.
  3. Optional: Configure the Snort service to output logs to the Netgate pfSense system log.
    1. Select Service > Snort.
    2. On the Snort Interface tab, click Edit this Snort interface mapping (pencil icon).
    3. In the Alert Settings section, enable Send Alerts to System Log.
    4. Click Save.
    5. On the Snort Interface tab, click Restart Snort on this interface.