pfSense
pfSense logs for firewall rules, packet filter states, NAT translations, service daemons and system events.
EnginsightGlobal Fields (4)
| Field | Type |
|---|---|
ngs.id Unique identifier for the log entry. | string |
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Reference-Specific Fields (37)
| Field | Type |
|---|---|
pfsense.IPVersion IP protocol version of the packet (e.g. 4 for IPv4, 6 for IPv6). | pint |
pfsense.DataLength Length in bytes of the packet's payload data. | plong |
pfsense.ICMP_Sequence List of ICMP sequence numbers from echo requests/replies. | plongs [] |
pfsense.Sequence List of generic packet sequence numbers seen by the firewall. | plongs [] |
pfsense.Window TCP window size advertised in the packet. | plong |
pfsense.ID Identification field from the IP header (used for fragmentation). | plong |
pfsense.ICMP_ID Identifier field from the ICMP header. | plong |
pfsense.ProtocolID Numeric protocol identifier (e.g. 6 for TCP, 17 for UDP). | pint |
pfsense.RuleNumber Number of the firewall rule that matched this packet. | plong |
pfsense.Tracker State table tracker ID for this connection. | string |
pfsense.SourcePort Source transport port (TCP/UDP) of the packet. | pint |
pfsense.ICMP_MTU MTU value reported in ICMP fragmentation-needed messages. | plong |
pfsense.SubRuleNumber Sub-rule number within a multi-part rule set. | plong |
pfsense.HopLimit IPv6 hop limit (same as TTL for IPv4). | plong |
pfsense.TTL Time-to-live value from the IP header. | plong |
pfsense.Offset Fragmentation offset field from the IP header. | plong |
pfsense.ICMP_Port Port field in ICMP-based protocols (where used). | pint |
pfsense.DestPort Destination transport port (TCP/UDP) of the packet. | pint |
pfsense.ACK TCP acknowledgment number from the packet. | plong |
pfsense.ICMP_ProtocolID Numeric protocol ID carried inside ICMP messages. | pint |
pfsense.Length Total length of the IP packet (header + data). | plong |
pfsense.ECN Explicit Congestion Notification bits from the IP header. | plong |
pfsense.Interface Name of the firewall interface that saw the packet. | string |
pfsense.TOS Type of Service (IPv4) or Traffic Class (IPv6) field. | string |
pfsense.Direction Direction of traffic: inbound or outbound. | string |
pfsense.Action Firewall action taken: pass, block, reject, etc. | string |
pfsense.ICMP_Type ICMP message type (e.g. 8 for echo request). | string |
pfsense.Reason Textual reason or log code explaining the action. | string |
pfsense.Protocol Protocol name (e.g. TCP, UDP, ICMP). | string |
pfsense.Filterlog Array of raw filter log entries associated with this event. | text_general [] |
pfsense.ICMP_Description Textual descriptions from ICMP messages (e.g. error codes). | text_general [] |
pfsense.Flags IP header flags (e.g. DF, MF). | text_general [] |
pfsense.TCPFlags List of TCP control flags set in the packet (e.g. SYN, ACK). | text_general [] |
pfsense.ICMP_DestIP Array of destination IPs referenced in ICMP payloads. | text_general [] |
pfsense.SourceIP Array of source IP addresses seen by the firewall. | text_general [] |
pfsense.DestIP Array of destination IP addresses seen by the firewall. | text_general [] |
pfsense.Options Array of IP header options present (if any). | text_general [] |
Sample Log Event
Below is a representative JSON log entry showing key fields as they’re emitted by the system. Depending on the context of the event, some fields may be omitted if they’re not applicable.