Overview
Blumira’s modern cloud SIEM platform integrates with pfSense firewall to stream security event logs to Blumira. With ready-to-use firewall traffic detection rules, Blumira can help you catch risky connections from public IPs, egress/ingress bulk transfers, and activity related to known threat sources that you may want to block.
Before you begin
This integration requires a Blumira sensor to be installed before you can complete the steps below. Ensure that you complete the steps in Building a Blumira sensor with Ubuntu before you continue.
Gather the IP address of your Blumira sensor to use when configuring the external service.
To find and copy the IP address of the sensor, do the following:
- In Blumira, navigate to Settings > Sensors.
- Click the sensor row to open the details page.
- In the Overview section, next to Host Details, copy the IP address.
Configuring log forwarding
To begin forwarding pfSense logs to Blumira, do the following:
- In pfSense, navigate to Status > System Logs > Settings.
- Under Status > System Logs > Log Message Format, select BSD (RFC 3164) if it is not already selected.
- Scroll down to Remote Logging Options at the bottom of the page and complete the following steps:
- In Enable Remote Logging, click the check box next to Send log messages to remote syslog server.
- In the Source Address box, select LAN.
- In the IP Protocol box, select IPv4.
- In the Remote log servers box, type the IP address of your Blumira sensor followed by port 514, as in this example: 192.168.100.1:514.
- In Remote Syslog Contents, click the check box next to Everything.
- Click Save.
Reference: See additional information provided by Netgate in Remote Logging with Syslog.