I wrote the manual code to import as much as possible from the syslog output of a pfsense 2.2 gateway into a Check Point firewall.
Be warned that this may break your system if you make an error in the code and don’t know how to understand the Inspect code.
I named the file PFsense2.C but any name you like would propably do the trick.
You need to add the addParsingFile file to the proper directory as listed in sk55020
You should then execute it as: addParsingFile -p PFsense2.C -d PFsense_dict.ini
Then restart your Smart Center as instructed.
You can see the added Syslog parser(s) in $FWDIR/conf/syslog/UserDefined/UserDefinedSyslogDevices.C
and the dictionary file in $FWDIR/conf/syslog/UserDefined/UserDefinedSyslogDictionaries.C
This works on MDS domains and normal SmartCenters. For MDS domains just make sure you use mdsenv correctly before you add the parser.
A sample of the INSPECT code:
( # Copyright 2015, Hugo van der Kooij # Format based on description on https://doc.pfsense.org/index.php/Filter_Log_Format_for_pfSense_2.2 :cmd_name (try) :parse_from (last_position) :regexp (filterlog:) :add_field ( :type (const) :field_name (product) :field_type (string_id) :field_value (PFsense2) ) :on_success ( :command ( :cmd_name (try) :parse_from (start_position) :regexp (".*filterlog:\s+(\d+),(\d+),(\w*),(\d+),(\w+),(\w+),(\w+),(\w+)") # integer Rule number # integer Sub rule number # string? Anchor # integer Tracker # string Interface (OS name) :add_field ( :type (index) :field_name (ifname) :field_type (ifname) :field_index (5) :comment ("Interface (OS name)") ) # string Reason # string Action :add_field ( :type (index) :field_name (action) :field_type (action) :field_index (7) :dict_name (PFsense_action) :comment ("Action") ) # string Direction :add_field ( :type (index) :field_name (ifdir) :field_type (ifdir) :field_index (8) :dict_name (PFsense_interface_dir) :comment ("Interface direction") ) # integer IP version (4 = IPv4, 6 = IPv6) :on_success ( :command ( :cmd_name (group_try) :mode (try_until_success) : ( # IPv4 ) : ( # IPv6 ) ) ) ) ) )
The trick is in adding this code to your Smart Center.