Find issues back in time
fireix last edited by
I had a report from a user that his server was down for a good hour last nigth. How can I go back in time and see if there has been traffic blocked at time time or by IP many hours ago? The web-gui doesn't seem to support this.
I have tried "clog /var/log/filter.log | grep "IP" and also checked the snort GUI to try to see if there are any hosts blocked. I have logging enabled for all rules.
muswellhillbilly last edited by
In my experience, it's best to send system logs to an external syslog server. You avoid filling up the local filesystem with historical data for one thing and - depending on the syslog server you use - you can often find the data more searchable.