Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Log monitoring

    Scheduled Pinned Locked Moved Firewalling
    11 Posts 5 Posters 4.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      srs
      last edited by

      is  there a way that I can monitor a certain address using any log tool in pfsense? my ISP claims that my network is being used to attack a certain IP, but when I use the 'Status -> System logs' tool to search for the possibly attack source, it only shows logs for the past six hours or so (2000 lines, the max config); I really needed a bigger report or a tool that I could use to monitor the traffic and mark the entries that match the addresses…

      any suggestion would be welcome!

      thanks

      1 Reply Last reply Reply Quote 0
      • F
        fluca1978
        last edited by

        What if you place a pass rule to such address with a logging enabled? This will allow you to place a label and then grep the log for such label. But I have no idea on how to get a bigger log (/var/log/filter.log).

        1 Reply Last reply Reply Quote 0
        • marcellocM
          marcelloc
          last edited by

          You may need To check log in pass rules and send pfsense logs to a syslog server.

          Also close external access to pfsense box and change password.

          If you think that your box has been owned, reinstall it.

          Treinamentos de Elite: http://sys-squad.com

          Help a community developer! ;D

          1 Reply Last reply Reply Quote 0
          • S
            srs
            last edited by

            first of all, thanks for the reply, guys!

            in fact, pfsense box hasn't been taken, but one of my internal client box is probrably infacted with some virus and being used to attack some machine world away;

            I think I will try to make a pass rule with that address, log it and hope it happen again.

            thanks again.

            1 Reply Last reply Reply Quote 0
            • S
              srs
              last edited by

              ok guys, I've found the attacked IP on my logs, but it didn't tell me which internal IP originated the connection:

              Oct 27 09:48:21 WAN2 74.208.164.166:80 172.16.2.2:45072 TCP:RA

              how can I trace this connection to my lan client??

              thanks

              1 Reply Last reply Reply Quote 0
              • M
                Metu69salemi
                last edited by

                can you see mac-address for that from the arp table?
                After that you can follow switches where that mac resides(if you have managed switches)

                1 Reply Last reply Reply Quote 0
                • S
                  srs
                  last edited by

                  no I can't see it's mac from the arp table. Is there any software in repository that I can install and that may give more info about firewall logs? thanks!

                  1 Reply Last reply Reply Quote 0
                  • marcellocM
                    marcelloc
                    last edited by

                    Combine info with a more deep package analiser like snort.

                    Treinamentos de Elite: http://sys-squad.com

                    Help a community developer! ;D

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      I would put a pass or even deny rule on your lan side to that IP in question and log it, and send your logs to syslog server so you have full logs.

                      This way you should see the local lan IP that is sending traffic to the outside public IP.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • S
                        srs
                        last edited by

                        thanks Marcelo and John; actually I've installed squid in order to have this lan logs and have been found some log entries that correlates that IP with an internal IP; but both your ideas are interesting and I think I must to implement both!

                        thanks again

                        1 Reply Last reply Reply Quote 0
                        • F
                          fluca1978
                          last edited by

                          @srs:

                          no I can't see it's mac from the arp table. Is there any software in repository that I can install and that may give more info about firewall logs? thanks!

                          Just for record: an arp inverse lookup should do the trick!
                          The command should be

                          arp -a IP-address
                          
                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.