The ITSI Content Pack for pfSense contains service definitions and KPIs ready to import to ITSI. The KPI Thresholds and importance values are set to defaults so that they can be tuned manually for your use case. After configuration, this content pack provides a comprehensive monitoring solution for pfSense networks.
Kinney Group ITSI Content Pack Blog
For more information about Kinney Group's Splunk Products, visit our website.
Services
pfSense monitoring encompasses several specialized services, each targeting specific aspects of network performance and security:
- Network Security
- Description: Monitors and manages the security aspects of the network, including intrusion detection and firewall activities.
- Intrusion Detection
- Description: Monitors network traffic for suspicious activities and potential threats using tools like Snort.
- Firewall Management
- Description: Manages firewall rules and logs to control network traffic and prevent unauthorized access.
- Traffic Analysis
- Description: Analyzes network traffic to identify patterns, bandwidth usage, and potential anomalies.
- Log Management
- Description: Collects, parses, and stores logs from various network devices and applications for analysis and troubleshooting.
- Bandwidth Monitoring
- Description: Monitors the usage of network bandwidth to identify high-usage IPs and potential network congestion.
- Log Parsing
- Description: Ensures that logs are properly parsed and fields are extracted for accurate querying and analysis.
KPIs
Each service utilizes specific KPIs to measure its effectiveness:
- Total Data Sent and Received
- Description: Monitor the total bytes from source and destination IPs.
- Snort Alerts
- Description: Monitor for Snort alerts indicating potential security threats.
- Firewall Logs
- Description: Ensure all logs from pfSense are being sent to Splunk.
- Failed Login Attempts
- Description: Track the number of failed login attempts to identify potential security threats.
- Unusual Login Locations
- Description: Monitor logins from unusual or unexpected geographic locations.
- Denied Connections
- Description: Monitor traffic that is denied based on firewall rules.
- Allowed Connections
- Description: Monitor traffic that is allowed based on firewall rules.
- Bandwidth Usage
- Description: Identify which IPs are using the most bandwidth.
- Traffic Flow
- Description: Monitor the flow of data across network infrastructure components.
- Anomalies and Suspicious Traffic
- Description: Use raw Snort alarms to investigate suspicious traffic.
- Log Parsing and Field Extraction
- Description: Ensure logs are properly parsed and fields are extracted for accurate querying.
- Event Details
- Description: Monitor specific event details for deeper insights.
- Error Logs and Alerts
- Description: Regularly review error logs and set up alerts for critical issues.
- Network Throughput
- Description: Monitor the usage of network bandwidth to identify high-usage IPs and potential network congestion.
- Data Integrity and Completeness
- Description: Ensure all expected data is being ingested without loss.
Sources
* Source: [Trenches of IT](https://www.trenchesofit.com/2020/04/14/building-a-splunk-dashboard-for-pfsense/)
* Source: [Splunk Documentation Network Traffic](https://docs.splunk.com/Documentation/CIM/5.3.2/User/NetworkTraffic)
* Source: [Splunk Documentation Authentication](https://docs.splunk.com/Documentation/CIM/5.3.2/User/Authentication)
Relationships
Dependencies:
Services are interconnected; for instance, Network Security is dependent on Intrusion Detection and Firewall Management. Similarly, Traffic Analysis relies on Bandwidth Monitoring to identify high-usage IPs and potential network congestion.
Hierarchical Structure:
Some services form a hierarchy, such as Network Security depending on Intrusion Detection and Firewall Management, illustrating a layered approach to performance monitoring where base metrics support broader performance indicators.