Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to find in syslog that rule was changed

    Firewalling
    3
    6
    264
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      aldomoro
      last edited by

      Hello

      It is not problem for me to find, that some administrator changed rule in pfSense. But is it possible to see what rule he changed?

      This is full message that I receive in my syslog, that admin disabled a rule:
      <35>1 2023-08-25T14:49:26.637364+02:00 name.of.pfsense php-fpm 12155 - - /firewall_rules.php: Configuration Change: admin@192.168.46.53 (Local Database): Firewall: Rules - disabled a firewall rule

      But there are no information which rule he disabled (or enabled, change).

      Thanks for info if you know

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @aldomoro
        last edited by

        @aldomoro said in How to find in syslog that rule was changed:

        But there are no information which rule he disabled (or enabled, change).

        There is.

        But, let's start with a "less the optimal" situation : more then one guy has admin access ?
        Like : more then one person has a key of your house ? (same here : don't do this if you do not fully trust these persons )

        To fin out what happened : connect to the console, or better SSH.
        You saw :

        15) Restore recent configuration

        ?

        Enter option 15 (by typing '151' and enter).
        You can list all the copies.
        Locate the one that was created when this :

        <35>1 2023-08-25T14:49:26.637364+02:00 name.of.pfsense php-fpm 12155 - - /firewall_rules.php: Configuration Change: admin@192.168.46.53 (Local Database): Firewall: Rules - disabled a firewall rule

        happened.

        Locate the anther, just before.

        Now, your need to know this :
        Go here (use god mode .... sorry : option 8)
        Goto /cf/conf/backup

        Example :

        ...
        -rw-r--r-- 1 root wheel 601207 Aug 28 00:47 config-1693090020.xml
        -rw-r--r-- 1 root wheel 601207 Aug 28 07:37 config-1693176420.xml
        -rw-r--r-- 1 root wheel 601310 Aug 28 07:37 config-1693201023.xml
        -rw-r--r-- 1 root wheel 601420 Aug 28 09:21 config-1693201050.xml
        -rw-r--r-- 1 root wheel 601293 Aug 28 09:21 config-1693207268.xml
        ...

        Let's presume config-1693176420.xml was created when the firewall rue was changed.
        So config-1693090020.xml was the file with the previous state.

        Now, use the magic :

        diff config-1693176420.xml config-1693090020.xml

        and you see what changed.

        YOu also know who changed it : 192.168.46.53 !

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 1
        • bingo600B
          bingo600
          last edited by

          Would this method work too

          Via the diagnostic --> backup page.
          You have a GUI config history , that my guess is ... Does what Gertjan described in CLI.
          60ce1143-c582-4bb4-baed-8a3d7c517923-image.png

          /Bingo

          If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

          pfSense+ 23.05.1 (ZFS)

          QOTOM-Q355G4 Quad Lan.
          CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
          LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

          GertjanG 1 Reply Last reply Reply Quote 2
          • GertjanG
            Gertjan @bingo600
            last edited by

            @bingo600
            Oh .... lol, there was a GUI 'solution' already for the question :

            How to find in syslog that rule was changed

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • A
              aldomoro
              last edited by

              Thank you guys

              It seems pfSense is not so "talkative" to log everything, so we can only go back in configuration backup

              GertjanG 1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan @aldomoro
                last edited by

                @aldomoro

                Normally, a device like pfSense is handled by 1 (one) person.
                Everything is logged in his head. No GUI needed.

                When a device like pfSense is administrated by multiple persons, then the main admin has some preparation to do.
                Examples :
                Open a common telegram/whatsapp .... sorry, no, Tiktok channel, and have every candidate explained that every modification should be annotated on this common channel.
                Or : install the pfSense Notes packages, and have every admin 'note' the date and modification made.

                Or : don't accept this multi admin situation and ongoing "who did what when" question.
                Activate the OpenVPN server, and the one and only admin can change whatever he wants, even when he is on the beach somewhere.

                A "descriptive GUI interaction to a log file" ? While I was thinking about that, I found this : Windows doesn't have thing like that ^^

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post