Log file question



  • I have the system log set to show last 500 log entries (default). I just found out that my web server got hacked and I need to go back to Feb 5 at 7:12am to see what IP address they came from.

    I do not have a syslog server setup yet, is there any way I can go back 2 days ago and see this info? Are the logs stored in a temporary file that I can go look at?

    Thanks,
    Lee
    (PFSense Newbie)



  • It looks like what you get via the GUI is what's stored on the system (just had a quick look).  I'm afraid you're out of luck.



  • Thanks, I appreciate your help. I am working on a syslog server to capture all my log files.



  • Where are the log files store at in the PFSense file system? Which directory? Thanks…



  • In the RAM.
    Hence when you reboot they're all lost



  • So to clarify, any log files kept by pfsense are ONLY stored in RAM? What if I check when creating a new rule to "Log packets that are handled by this rule" will these logs only be stored in RAM and not to the hard drive? If so, then it sounds like a syslog server is the only way to get the log files to a hard drive. Am I correct?



  • Yes you need a syslog-server.



  • Hi !

    I want for some reason, to keep the captive portal logs.
    I dont want a syslog server to do it…

    I have think 3 possibilities:

    • keep the log on usb/hdd disk (day by day)
    • send e-mail with the logs
      or if its possible install mysql on pfsense + accounting , install freeraduis, and make a piece of software
      for show the log and create radius users.
      Wich solution could be the best?

    Regards,
    Marc



  • @marcoof:

    • keep the log on usb/hdd disk (day by day)

    To store the logs to a USB stick is a bad idea. It will die due to repeated writes.
    Harddisk would be possible.
    I think this is a planned feature for a future version (without ETA).

    • send e-mail with the logs

    I dont remember and cant find it right now but i think someone here on the forum wrote a script that does this.
    (could be for something else but i think it was for the logs)

    or if its possible install mysql on pfsense + accounting , install freeraduis, and make a piece of software
    for show the log and create radius users.

    Dont ever do that!
    pfSense is a firewall and as such a security-critical system.
    You dont make it more secure by installing a database on it…
    If you want a database install it on a nother computer. But then you're back to: set up a syslog server
    (really: Do that. It's the easiest way)



  • i have just finish the works,

    I replace syslog by syslog-ng, work great.
    i have made a script who send the logs by e-mail, and rotate the log.
    the logs are stored on the pfsense hdd, and i think, they could be sent in external hdd or similar.

    If someone think its a good idea, i can make a how-to.
    Marc



  • @marcoof:

    i have just finish the works,

    I replace syslog by syslog-ng, work great.
    i have made a script who send the logs by e-mail, and rotate the log.
    the logs are stored on the pfsense hdd, and i think, they could be sent in external hdd or similar.

    If someone think its a good idea, i can make a how-to.
    Marc

    Sure, let people know how you solved this  :)



  • Hi Hoba !

    I haven't solved anythink, just modify my pfsense box to do what in need…
    I have understand why the logs are in ram and why clog generate circular log files.

    This is the start of my work... in a 1.2 Rc2 realease.
    Suggestions are welcome !

    Do not try it if you have no enought space on your Hdd !

    1, Install ssmtp :

    #setenv PACKAGESITE ftp://ftp4.freebsd.org/pub/FreeBSD/ports/i386/packages-6-stable/Latest/
    #pkg_add -r redir

    #pkg_add -r ssmtp

    2, rename the conf file /usr/local/etc/ssmtp.conf.sample to ssmtp.conf
    Modify this file (give your smtp server parameters).

    this is my ssmtp.conf file:


    /etc/ssmtp.conf -- a config file for sSMTP sendmail.

    The person who gets all mail for userids < 1000

    Make this empty to disable rewriting.

    root=

    The place where the mail goes. The actual machine name is required

    no MX records are consulted. Commonly mailhosts are named mail.domain.com

    The example will fit if you are in domain.com and your mailhub is so named.

    Example for SMTP port number 2525

    mailhub=mail.your.domain:2525

    Example for SMTP port number 25 (Standard/RFC)

    mailhub:25=smtp.wanadoo.fr

    Example for SSL encrypted connection

    mailhub=mail.your.domain:465

    Where will the mail seem to come from?

    #rewriteDomain=

    The full hostname

    #hostname=

    Set this to never rewrite the "From:" line (unless not given) and to

    use that address in the "from line" of the envelope.

    FromLineOverride=YES

    Use SSL/TLS to send secure messages to server.

    #UseTLS=YES

    Use SSL/TLS certificate to authenticate against smtp host.

    #UseTLSCert=YES

    Use this RSA certificate.

    #TLSCert=/usr/local/etc/ssmtp/ssmtp.pem

    I 've just modify the mailhub= , and uncomment FromLineOverride=YES

    3, Install syslog-ng
    #pkg_add -r syslog-ng

    4, edit /usr/local/etc/syslog-ng/syslog-ng.conf (read the doc before).
    this is my conf, not finished, i cath all log to messages logs).
    This is just an example...

    This sample configuration file is essentially equilivent to the stock

    FreeBSD /etc/syslog.conf file.

    options { long_hostnames(off); sync(0); };

    sources

    source src { unix-dgram("/var/run/log");
                unix-dgram("/var/run/logpriv" perm(0600));
        udp(); internal(); file("/dev/klog"); };

    destination

    destination firewall { file("/log/$DAY$MONTH$YEAR/filter.log"
      create_dirs(yes)); };
    destination vpn { file("/log/$DAY$MONTH$YEAR/vpn.log"
      create_dirs(yes)); };
    destination portalauth { file("/log/$DAY$MONTH$YEAR/portalauth.log"
      create_dirs(yes)); };
    destination dhcp { file("/log/$DAY$MONTH$YEAR/dhcpd.log"
      create_dirs(yes)); };
    destination messages { file("/log/$DAY$MONTH$YEAR/messages.log"
      create_dirs(yes)); };
    destination cron { file("/log/$DAY$MONTH$YEAR/cron.log"
      create_dirs(yes)); };
    destination auth { file("/log/$DAY$MONTH$YEAR/auth.log"
      create_dirs(yes)); };
    destination sshlockout { program("/usr/local/sbin/sshlockout_pf"); };

    destination ntpd { file("/log/$DAY$MONTH$YEAR/ntpd.log"
      create_dirs(yes)); };
    destination ipsec { file("/log/$DAY$MONTH$YEAR/ipsec.log"
      create_dirs(yes)); };
    destination openvpn { file("/log/$DAY$MONTH$YEAR/openvpn.log"
      create_dirs(yes)); };

    Define filters

    Level Filters

    filter f_emerg { level (emerg); };
    filter f_alert { level (alert .. emerg); };
    filter f_crit { level (crit .. emerg); };
    filter f_err { level (err .. emerg); };
    filter f_warning { level (warning .. emerg); };
    filter f_notice { level (notice .. emerg); };

    Facility Filters

    filter f_auth { facility(auth, authpriv); };
    filter f_authpriv { facility(authpriv); };
    filter f_syslog { facility (syslog); };
    filter f_cron { facility (cron); };
    #filter f_local0 { facility (local0); };
    filter f_local1 { facility (local1); };
    filter f_local2 { facility (local2); };
    filter f_local3 { facility (local3); };
    filter f_local4 { facility (local4); };
    filter f_local5 { facility (local5); };
    filter f_local6 { facility (local6); };
    filter f_local7 { facility (local7); };
    filter ntp   {program (ntpd); };
    filter f_racoon   {program (racoon); };
    filter f_openvpn   {program (openvpn); };
    #filter f_firewall-drop { facility (local0) and match("drop"); };
    filter f_firewall-pass { facility (local0) and match("pass"); };

    #log { source(src); filter(f_local0); destination(firewall); };
    log { source(src); filter(f_firewall-pass); destination(firewall); };
    log { source(src); filter(f_local3); destination(vpn); };
    log { source(src); filter(f_local4); destination(portalauth); };
    log { source(src); filter(f_local7); destination(dhcp); };
    #log { source(src); filter(f_cron); destination(cron); };
    log { source(src); filter(f_auth); destination(auth); };
    log { source(src); filter(f_auth); destination(sshlockout); };
    log { source(src); filter(ntp); destination(ntpd); };
    log { source(src); filter(f_racoon); destination(ipsec); };
    log { source(src); filter(f_openvpn); destination(openvpn); };
    log { source(src); destination(messages); };

    5, modify the /etc/rc file, comment the creation of clog files
    (or better test if syslog-ng exist and do an else / then

    generate circular logfiles

    #if [ ! "$PLATFORM" = "cdrom" ]; then

    clog -i -s 512144 /var/log/system.log

    clog -i -s 512144 /var/log/filter.log

    clog -i -s 65535 /var/log/dhcpd.log

    clog -i -s 65535 /var/log/vpn.log

    clog -i -s 65535 /var/log/openvpn.log

    clog -i -s 65535 /var/log/portalauth.log

    clog -i -s 65535 /var/log/ipsec.log

    clog -i -s 65535 /var/log/slbd.log

    clog -i -s 65535 /var/log/lighttpd.log

    clog -i -s 65535 /var/log/ntpd.log

    #else
    #    clog -i -s 65535 /var/log/system.log
    #    clog -i -s 65535 /var/log/filter.log
    #    clog -i -s 65535 /var/log/dhcpd.log
    #    clog -i -s 65535 /var/log/vpn.log

    clog -i -s 65535 /var/log/openvpn.log

    #    clog -i -s 65535 /var/log/portalauth.log
    #    clog -i -s 65535 /var/log/ipsec.log
    #    clog -i -s 65535 /var/log/slbd.log

    clog -i -s 65535 /var/log/ntpd.log

    #fi

    change permissions on newly created clog files.

    #chmod 0600 /var/log/system.log /var/log/filter.log /var/log/dhcpd.log /var/log/vpn.log /var/log/portalauth.log /var/log/slbd.log

    6, start syslog-ng (you can insert it before the cron start)

    echo -n "Starting Syslog-ng… "
    /usr/local/sbin/syslog-ng
    echo "done.

    7, modify the /etc/rc.bootup and comment the original syslog start
    /* start syslogd */
    /system_syslogd_start();/

    8, stop syslogd and start syslog-ng to test if all is ok

    9, reboot.

    A this time you have syslog-ng working on your system, and you can send mail.

    you can make your own script to send the log by mail, and rotate the logs files...

    I've make a little script for me who send the log by mail, and delete directory older than one year...


    #!/bin/sh
    #Require ssmtp & syslog-ng

    chemin des logs

    path=/log/$(date '+%d%m%Y')

    Les variables des dates

    jour=$(date '+%d%m')
    annee=$(date '+%Y')
    anterieur=$(($annee-1))

    les variables d'email (envoi de mail email =oui ou non)

    email=oui
    expediteur=xxx@wanadoo.fr
    destinataire=xxx@mkws.net
    sujet='Log Wifi du '$jour$annee''

    On génere le header(pour ssmtp), on l'insere dans le fichier log, et envoi du mail

    if cat $path/portalauth.log | grep -a logportalauth > /dev/null;
    then echo -e "From:$expediteur\nTo:$destinataire\nSubject:$sujet\n" > $path/$jour$annee.log
    echo -e "\nPortail Captif:" | tee -a $path/$jour$annee.log > /dev/null
    cat $path/portalauth.log | grep -a logportalauth | tee -a $path/$jour$annee.log > /dev/null
    echo -e "\nServeur Dhcp:" | tee -a $path/$jour$annee.log > /dev/null
    cat $path/dhcpd.log | grep -a DHCPACK | tee -a $path/$jour$annee.log > /dev/null
    echo -e "\nPare-feu:" | tee -a $path/$jour$annee.log > /dev/null
    cat $path/filter.log | grep -a rule | tee -a $path/$jour$annee.log > /dev/null

    else echo -e "From:$expediteur\nTo:$destinataire\nSubject:$sujet\n" > $path/$jour$annee.log
    echo -e "\nPortail Captif:" | tee -a $path/$jour$annee.log > /dev/null
    echo "Pas de connexion au portail captif aujourd'ui!" | tee -a $path/$jour$annee.log > /dev/null
    fi

    case $email in
    oui)
    /usr/local/sbin/ssmtp $destinataire < $path/$jour$annee.log;;
    non)
    ;;
    esac

    #On verifie l'existence du répertoire de l'année antérieur et on le supprime
    [ -d $path/$jour$anterieur ]&& rm -Rf $path/$jour$anterieur

    –---------------------------------------------------------------------------------------------------
    Marc


Locked