Find issues back in time
-
I had a report from a user that his server was down for a good hour last nigth. How can I go back in time and see if there has been traffic blocked at time time or by IP many hours ago? The web-gui doesn't seem to support this.
I have tried "clog /var/log/filter.log | grep "IP" and also checked the snort GUI to try to see if there are any hosts blocked. I have logging enabled for all rules.
-
In my experience, it's best to send system logs to an external syslog server. You avoid filling up the local filesystem with historical data for one thing and - depending on the syslog server you use - you can often find the data more searchable.