How to find in syslog that rule was changed

aldomoro

Hello

It is not problem for me to find, that some administrator changed rule in pfSense. But is it possible to see what rule he changed?

This is full message that I receive in my syslog, that admin disabled a rule:
<35>1 2023-08-25T14:49:26.637364+02:00 name.of.pfsense php-fpm 12155 - - /firewall_rules.php: Configuration Change: admin@192.168.46.53 (Local Database): Firewall: Rules - disabled a firewall rule

But there are no information which rule he disabled (or enabled, change).

Thanks for info if you know

Gertjan

@aldomoro said in How to find in syslog that rule was changed:

But there are no information which rule he disabled (or enabled, change).

There is.

But, let's start with a "less the optimal" situation : more then one guy has admin access ?
Like : more then one person has a key of your house ? (same here : don't do this if you do not fully trust these persons )

To fin out what happened : connect to the console, or better SSH.
You saw :

15) Restore recent configuration

?

Enter option 15 (by typing '151' and enter).
You can list all the copies.
Locate the one that was created when this :

<35>1 2023-08-25T14:49:26.637364+02:00 name.of.pfsense php-fpm 12155 - - /firewall_rules.php: Configuration Change: admin@192.168.46.53 (Local Database): Firewall: Rules - disabled a firewall rule

happened.

Locate the anther, just before.

Now, your need to know this :
Go here (use god mode .... sorry : option 8)
Goto /cf/conf/backup

Example :

...
-rw-r--r-- 1 root wheel 601207 Aug 28 00:47 config-1693090020.xml
-rw-r--r-- 1 root wheel 601207 Aug 28 07:37 config-1693176420.xml
-rw-r--r-- 1 root wheel 601310 Aug 28 07:37 config-1693201023.xml
-rw-r--r-- 1 root wheel 601420 Aug 28 09:21 config-1693201050.xml
-rw-r--r-- 1 root wheel 601293 Aug 28 09:21 config-1693207268.xml
...

Let's presume config-1693176420.xml was created when the firewall rue was changed.
So config-1693090020.xml was the file with the previous state.

Now, use the magic :

diff config-1693176420.xml config-1693090020.xml

and you see what changed.

YOu also know who changed it : 192.168.46.53 !

bingo600

Would this method work too

Via the diagnostic --> backup page.
You have a GUI config history , that my guess is ... Does what Gertjan described in CLI.

/Bingo

Gertjan

@bingo600
Oh .... lol, there was a GUI 'solution' already for the question :

How to find in syslog that rule was changed

aldomoro

Thank you guys

It seems pfSense is not so "talkative" to log everything, so we can only go back in configuration backup

Gertjan

@aldomoro

Normally, a device like pfSense is handled by 1 (one) person.
Everything is logged in his head. No GUI needed.

When a device like pfSense is administrated by multiple persons, then the main admin has some preparation to do.
Examples :
Open a common telegram/whatsapp .... sorry, no, Tiktok channel, and have every candidate explained that every modification should be annotated on this common channel.
Or : install the pfSense Notes packages, and have every admin 'note' the date and modification made.

Or : don't accept this multi admin situation and ongoing "who did what when" question.
Activate the OpenVPN server, and the one and only admin can change whatever he wants, even when he is on the beach somewhere.

A "descriptive GUI interaction to a log file" ? While I was thinking about that, I found this : Windows doesn't have thing like that ^^