Traffic size monitoring
-
Hi all,
my pfsense sends the log towards a splunk instance. I want to monitor the traffic size per IP in my network. In order to verify if the monitoring works, from a virtual machine I downloaded a 4gb file, but from the log in splunk, I see the connection and few bytes (more or less 100 bytes).
The same problem appears at the end of the connection. By summing the bytes (or bytes_in, bytes_out) for each IP, I cannot see the full traffic, but only the bytes of the SYN request.
So, is there a way to have this info?Thank in advance to all!
-
What 'logs' are you actually sending?
It sounds like you really want a netflow collector:
https://docs.netgate.com/pfsense/en/latest/monitoring/graphs/bandwidth-usage.html#netflowSteve
-
Hi Steve,
I'm sending all syslog to splunk (status > system logs > settings > Remote Syslog Contents).
For instance, the paloalto's bytes log field reports the true bytes sent/received at the end of the connection.
I'll try with your solution.Thanks!
-
If you don't need a full netflow setup one of the other bandwidth monitoring methods on that page may suffice. Given your username though I had assumed netflow
-
analyzing the logs on splunk that are sent by the pfsense as you said, if I take for example the bytes field, the latter does not correctly report the size of the data exchanged in a given session. This makes me think that pfsense only reports the first connection and nothing else.
I don't know if there are any settings that can be enabled on pfsense to get this info. -
That's using Netflow in pfSense 2.6?
How exactly have you con figured it? What exactly are you seeing reported?
-
no, I haven't installed the netflow module yet because I was trying to figure out what I could do with the information contained in the logs sent to splunk.
Now I try to install it and update you! -
Then I'm not really sure where you are getting the traffic data from currently. The logs don't record that.
You need Netflow data to see session bytes remotely.Steve