So I had all this new logging capability, but really didn't have anything in place to collect it for analysis. That was where Splunk came, pretty cool product if you have never used it. It is primarily a log collection/reporting tool with a number of 3rd party applications that can be loaded in. One in particular that I found useful, was the Google Maps App. I then configured pfSense to Syslog the Firewall logs and configure Snort to send it's alerts to the System Log. Then I setup the UDP listener in Splunk to pull the pfSense logs in. Now for the fun part, Google Maps setups up Geo_IP plotting. The simple search rule was basically showing all pfsense-firewall block activity. I still haven't written this up, but I will eventually.
This information is nifty but I am much more interested in the Snort data. Unfortunately the Snort data was not being completely parsed in Splunk like the Firewall data. I have been trying to find information on how to do this, but I have not had any real luck. Splunk does have an app for Snort, but it seems it may be designed for the stand-alone. I was thinking there may be much more I can configure for Snort behind pfSense but haven't gone down that route. If any one has any ideas on parsing out the Snort data, I'd be interested in hearing them.