Monitoring FW logs and attacks

skipper

Hi folks,

I want to monitor the FW logs (and attacks as well) on pfSense and I was looking if there is any tool on available packages where I can see the logs of the last month, and sort them by source/destination IP or destination port, but there is nothing like that as I can see.

I want to be able the see which source/destination IPs, destination ports, have the most block packages, on all interfaces.
Generally I want to be able to check the logs from some days ago and see if there was some attack and or so.

Is there any way/tool on pfSense which I can use to have this function?

thnx in advance

galaxy60

Hi I use syslog to another PC the software I am currently using is SYSLOG Watcher. intall the software on your PC and then on pfSense goto system logs settings and enable the tick box and enter your PC's IP address.

skipper

hi galaxy60,
thnx for your reply

that looks a good solution, do you maybe know any software like SYSLOG Watcher for linux (ubuntu)?
have you compared the logs on SYSLOG Watcher and pfSense to see how fast/often are the logs being copied to the log server?

I am thinking to enable also snort, is there something similar for sending snort logs as well?

galaxy60

Hi Linux has it's package you can install for syslog but I'm don't think it has a GUI like the one mentioned as for Snort this does have it own internal logging

skipper

thnx for your reply galaxy60,

I guess I have to activate/enable snort and see how it is going with blocking/alerting/logging and then decide if I need to copy the logs to some other server as well.

cheers