Pfsense User Log



  • Hi Guys!

    Where can I see the log file on what a user did. Like deleting or changing a firewall rules.

    Thank you!



  • diagnostics->backup&restore->config history



  • Is there a file where I can check the config history? Because our config history is only limited up to 50 entries :( I want to review some previous configuration changed.



  • Hi,

    If you save your config regularly, you can "diff" them.

    Use the Auto config backup service.
    Also : I'm using this : https://github.com/KoenZomers/pfSenseBackup - one of my PC's takes a copy of the config every day.

    Btw : pfSense's admin right should only given away to people who know what they do. Install the note package so they can put in comments when they change something. If other admin's do thing that are unknown, consider your system as "not safe", and throw them out.



  • Thank you, Gertjan.

    So it means that there is no way for me to see who could possibly changed or deleted our firewall rules? :(



  • @dotslashniks said in Pfsense User Log:

    Thank you, Gertjan.

    So it means that there is no way for me to see who could possibly changed or deleted our firewall rules? :(

    Did you create individual logins for each administrator and tell them not to share credentials with one another? If not, all of the log entries will show that admin made the change from IP address xxx.xxx.xxx.xxx. Maybe you gave all of your administrators static IPs and can tell from that?



  • @tim-mcmanus yes. I created a different log ins for each administrator. But what specific log file can I see the changes made to firewall rules. I went to Diagnostics>Backup&Restore>Config History but I cannot find the history where the deletion happened because it is only limited to 30 backup logs and I had made some new configurations which means that the older backups were gone.



  • @dotslashniks you can increase count from 30 to any value.
    also you can use SIEM to get configuration change alerts via email.



  • @vallum Thank you! Am going to search on how to setup that SIEM. Btw, is there a chance that I can retrieve the previous changes that happened?



  • @dotslashniks you can view change using diff : diagnostics->backup&restore->config history
    you can also restore them and config will be reverted to selected date/time you select.



  • @vallum yes. I already went there but I can't find the config that am searching because it was replaced by a new change log. For example, the log am searching is number 32, but it is not displayed in there because it is limited to only 30. Did you get my point? Thank you btw :)



  • Details that are deleted can't be recovered.

    But, the default "30" can be changed for future usage. It's not a parameter that can be changed with the GUI. You have to do it by editing the config.xml file.

    Info :

    [2.4.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]/usr/local/www: cd /etc/inc
    [2.4.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]/etc/inc: grep "default_config_backup_count" *
    config.lib.inc: $revisions = intval(is_numericint($config['system']['backupcount']) ? $config['system']['backupcount'] : $g['default_config_backup_count']);
    globals.inc:    "default_config_backup_count" => 30,
    

    So, now we know what to do ;)
    I adding

    <backupcount>60</backupcount>
    

    to the config.xml just below the <system> filed.
    Like this :

    <pfsense>
            <version>18.9</version>
            <lastchange></lastchange>
            <theme>pfsense_ng</theme>
            <system>
                    <backupcount>60</backupcount>
                    <optimization>normal</optimization>
                    <hostname>pfsense</hostname>
    .........
    

    I tested this : in the /cf/conf/backup directory the number of backup files is now growing toward 60 instead of 30.



  • @gertjan said in Pfsense User Log:

    It's not a parameter that can be changed with the GUI. You have to do it by editing the config.xml file.

    Huh, it can be changed in the GUI.

    0_1544014284818_config_history.png



  • Oops.

    I never saw that "+" on the top right corner.
    That explains why I found code that handles this setting, without finding the GUI part.

    Btw :
    It shows 60 !
    0_1544016161146_a3e12c67-0c4a-4d9b-9ff4-bd802d95be7e-image.png