I can see only ovpns statistics in Grafana. My pfsense interface are lagg0.{VLAN_ID}.
Looking into Graylog stream I see pfsense fields populated only for ovpns related items.
I'm new to Graylog an Grafana world but I think my issue is in the grok pattern. Using these two logs messages as example:
filterlog: 475,,,1424803213,lagg0.31,match,block,in,4,0x0,,64,39847,0,DF,6,tcp,60,192.168.31.168,95.100.81.146,52414,80,0,S,358918382,,29200,,mss;sackOK;TS;nop;wscale
filterlog: 9,,,1000000103,ovpns1,match,block,in,4,0x0,,1,59729,0,DF,17,udp,199,10.0.8.26,239.255.255.250,59296,1900,179
I tested the grok pattern with a grok pattern tester and the first example fails, stopping at iface field, which is parsed as lagg0.
I edited the grok patterns replacing the expression WORD:iface with USERNAME:iface
%{INT:rule},%{INT:sub_rule}?,,%{INT:tracker},%{USERNAME:iface},%{WORD:reason},%{WORD:action},%{WORD:direction},
Now the stream fill the fields in the correct way, but I can't see any interface except ovpns in grafana.
I can see only ovpns statistics in Grafana. My pfsense interface are lagg0.{VLAN_ID}.
Looking into Graylog stream I see pfsense fields populated only for ovpns related items.
I'm new to Graylog an Grafana world but I think my issue is in the grok pattern. Using these two logs messages as example:
I tested the grok pattern with a grok pattern tester and the first example fails, stopping at iface field, which is parsed as lagg0.
I edited the grok patterns replacing the expression WORD:iface with USERNAME:iface
Now the stream fill the fields in the correct way, but I can't see any interface except ovpns in grafana.