Logging all data on an interface to a syslog server
-
Hi all,
I'm sorry if this has already been asked, but I can't find an answer anywhere. I would like to log all data flowing across my WAN interface to an internal syslog server. I'd prefer to do this without enabling logging on all the firewall rules. Is this possible? I'm getting data in my syslog server (I downloaded Splunk) and it seems to be working on the syslog config, but I'm not getting my traffic data. If I can get this sorted with some help it would be greatly appreciated. I pay for DSL usage and I've gone from 20 GB a month to 300GB so it's costing me a small fortune!Thanks,
Todd
-
Best you can do with syslog is logging firewall rule matches, which won't show traffic, just the connection. One of the packages is what you'll need, either Netflow exports to a collector, bandwidthd, or ntop.
-
@cmb:
Best you can do with syslog is logging firewall rule matches, which won't show traffic, just the connection. One of the packages is what you'll need, either Netflow exports to a collector, bandwidthd, or ntop.
Is this a limitation of the pfsense gui or something deeper? We would love to be able to use an external system (Splunk, etc) for more detailed traffic\log analysis.
-
Is this a limitation of the pfsense gui or something deeper? We would love to be able to use an external system (Splunk, etc) for more detailed traffic\log analysis.
That's what Netflow is for, it's the standard for such traffic analysis. If you want something deeper, like including payload, you better have a ton of storage, and you'll need some collection mechanism that doesn't currently exist in base or as a package. There are add on options for FreeBSD there though.
-
If you want full packet logging then you'll really want to install a network tap and a separate box to receive that feed of packets.
-
Thanks for the help. I appreciate it.