I'm using a custom NanoBSD image with PacketFilter (PF) as my home firewall/gateway and indexing the PF activity into Splunk. Being able to report on and graph the firewall data is valuable Intelligence when planning your next HoneyPot project; among other things.
The write-up that follows isn't specific to NanoBSD and should work with any PF installation (FreeBSD, OpenBSD, pfSense, etc). I should also mention that I originally implemented this with real-time logging by running
tcpdump on pflog0 and piping the output to
logger. For the most part it worked, but Splunk would have random events that were missing the first line of the tcpdump output. Instead of burning cycles trying to determine where the random data was being dropped, I settled on a 5-minute "push" interval of the /var/pflog file to Splunk. I haven't encountered the issue since.
The PF-to-Syslog portion of my implementation is based on the OpenBSD documentation for PF with a couple minor tweaks. Whereas the Splunk portion is completely custom and involved many nights of RegExp wrestling and LOTS of test packets with Nping. As a quick side-note: if you're looking for a utility for writing and testing RegExps on OS X check out RegExRX. Well worth the $4.99.