We’ve reached the culmination of our Threat Intel series for now… Throughout this journey, we’ve set up various systems—PFSense, Graylog, and now Grafana—to recreate a robust environment similiar to a Security Operations Center (SOC) right in your own home lab using open sourced software. Our ultimate goal is to build an ecosystem where you can seamlessly analyze network traffic and visualize data from ingested logs as we look to deploy more services in our lab.

In this post, we’ll explore how to import a dashboard I’ve updated overtime to quickly summarize firewall and IDS events for a given time period. I’d like to express my gratitude to jenniferhatches for initially creating the dashboard in 2020 using Elasticsearch as a data source. Since then, Elasticsearch has undergone a licensing change, leading AWS to fork Elasticsearch and create its own version of the software, called OpenSearch. OpenSearch is a community-driven, open-source project that is fully compatible with Elasticsearch.

If you have additional ideas on how to visualize PFSense and/or Suricata logs, please comment below. Let’s collaborate to enhance our insights!

Grafana Install

https://grafana.com/docs/grafana/latest/setup-grafana/installation/debian/

I’m using Grafana V10.2.3, released in 2023, which is when I first started exploring threat intelligence. The latest version may have a different UI or settings rearranged, but the principles for setting up new data sources and connecting to a dashboard remain the same. Follow the steps outlined in the link above to deploy an instance of Grafana OSS. I chose to install Grafana on the same host as Graylog, allowing us to configure a new connection for an OpenSearch index in Server Access mode, thus bypassing potential Cross-Origin Resource Sharing (CORS) requirements.

Ensure to start the service after install and check for any errors.

Grafana Service Status

Once installed, you can then use the following information for your initial login and please change the default admin password after login as a best practice.

Change PW

Data Source Configuration

The first step in configuring Grafana is to create new data sources, allowing Grafana to locate logs and perform queries against them.

New Connection

When adding a new connection, search for OpenSearch, which will require installation of the plugin. In my case, I already have the plugin installed:

OpenSearch Plugin Install

Next, we need to refer to each stream we created previously in Graylog. By viewing any message within each stream, we can save the “Stored in index” value, which will then be used as part of the OpenSearch connection details when entering the Index Name. Note that I’ve included an asterisk (*) at the end of the Index Name to act as a wildcard, since a new index is created every 40 days as part of the log rotation process we established earlier.

Stored Index Prefix
OpenSearch Data Source Config Filterlog
OpenSearch Data Source Config Suricata

Save and test the connection once OpenSearch details are completed. Save Connection
Output Example

Dashboard Time

You can use either link below to download the dashboard into Grafana for usage:

  1. Grafana Site
  2. My Github Repo Import Dashboard1
Import Dashboard2

During the import process, you’ll be presented with options such as naming the new dashboard, selecting a folder to store it in, and assigning a unique ID if it isn’t already unique in your setup. Lastly, for Threat Intel Logs, we will point to the Pfsense-Filter-Logs as a starting point. Import Dashboard Config

Once everything is successfully configured and imported, the final result should be a populated dashboard. On the left side, you’ll see metrics from PFSense firewall rules, while the right side displays metrics for Suricata triggered alerts. Filters are located at the top of the dashboard, allowing you to drill down results based on interesting source IPs or interfaces configured in your PFSense setup.

Grafana Dashboard