Overview
Blumira’s security operations platform integrates with pfSense Firewall to detect cybersecurity threats across your environment, combining SIEM log analysis, endpoint detection, and AI-powered investigation to provide automated or actionable response. With ready-to-use firewall traffic detection rules, Blumira can help you catch risky connections from public IPs, egress/ingress bulk transfers, and activity related to known threat sources that you may want to block.
Before you begin
This integration requires a Blumira sensor to be installed before you can complete the steps below. Ensure that you complete the steps in Building a Blumira sensor with Ubuntu before you continue.
Gather the IP address of your Blumira sensor to use when configuring the external service.
To find and copy the IP address of the sensor, do the following:
- In Blumira, navigate to Ingestion > Sensors.
- Click the sensor row to open the details page.
- In the Overview section, next to Host Details, copy the IP address.
Configuring log forwarding
To begin forwarding your pfSense firewall logs to Blumira, do the following:
- In pfSense, navigate to Status > System Logs > Settings.
- Under Status > System Logs > Log Message Format, select BSD (RFC 3164) if it is not already selected.
- Scroll down to Remote Logging Options at the bottom of the page and complete the following steps:
- In Enable Remote Logging, click the check box next to Send log messages to remote syslog server.
- In the Source Address box, select LAN.
- In the IP Protocol box, select IPv4.
- In the Remote log servers box, type the IP address of your Blumira sensor followed by port :514, as in this example: 192.168.100.1:514.
- In Remote Syslog Contents, click the check box next to Everything.
- Click Save.
- To ensure full logging from pfSense, modify each firewall rule to log the packets that are handled by the rule. If this is not done, gaps in logging can occur.
Reference: See additional information provided by Netgate in Remote Logging with Syslog.