pfSense and Graylog for NetFlow collection and Analysis


I love Network and Infosec, but my current role doesn’t get me too hands on in the two so at home I’ve deployed pfSense router, a powerful free and open source network operating system, and Graylog a free and open source log collection and analysis tool. While I have these deployed for home and test purposes these tools are powerful enough for enterpise deployment and have options for paid enterprise support, but enough on that how do you get them to work.

First we are going to assume you already have pfSense and Graylog up and running.

For pfsense we need to install the softflowd package.

You can find under System > Package Manager > Available Packages

After completing installation head to Services > softflowd

On the Graylog side we need to download the Netflow Connector Plugin. I find the easiest method to got directly to your plugins dir on you Graylog install and drop the .jar file there.

cd /opt/graylog/plugin      [this path will vary based on your install] sudo wget
{be warned I had issues with the version above went with
 sudo wget as alternative, will work on testing other versions, but also recently update graylog, so could be an issue with newer graylog release, anyways reverted for now.}
sudo graylog-ctl restart


In Graylog go to System > Inputs and select Netflow UDP from the drop down.

Give the Input a description, it defaults to port 2055, pretty common for Netflow Collectors. In this case I am using the version 5 records due to the above mention stability issues with the newer versioning.

Afterward I tend to go to show received messages to confirm it is functioning properly.

Start running some queries and voila add to a Dashboard: