Log monitoring and firewall updates for dummies?



  • I'm looking for a good remote logging/monitoring tool for pfSense.  If it can monitor and keep track of my webserver logs that's a big plus.
    I have looked at the ELK stack and Greylog followed some tutorials on getting them setup.  Those are pretty hit or miss.

    I finally found a tutorial on ELK that got me a working ELK installation, however, I couldn't get logstash to accept remote input from pfSense.
    I'm sure both of those are excellent tools, if you have the time to learn all of the underlying scripting languages and software packages. 
    I don't.  I have a day job that takes a lot of time, but I still have my home domain and private network to protect.

    The reason I ask about this is that I see a lot of brute force attacks on my web server in the apache logs.
    I have used an appliance somewhat similar to pfSense in the past that simplified adding additional blocks at the firewall by adding a button next to log entries to allow the user to add a drop rule for the source IP address.
    I would locate the IP address in the firewall logs and add a drop rule for any packet from that source.

    This may exist in pfSense, I just can't figure it out in the limited nights/weekends that I have to absorb content.

    I'm sure someone out there is running into the same issue – Not looking for automatic blocking updates but somehow highlighting problematic IP addresses/ranges that can be blocked.
    A vast majority of the attacks appear to be automated brute force attacks walking through known vulnerabilities.
    I have found in the past that if you set up a drop rule for 30 days or so the source usually moves on to other targets.

    Any suggestions on this?



  • @MakOwner:

    I finally found a tutorial on ELK that got me a working ELK installation, however, I couldn't get logstash to accept remote input from pfSense.

    If you had a working ELK installation, then all you need to do is set your firewall to send the syslog data to it. (Status/Settings + System Logs tab). What was the result when you tried? By that, I mean did you get any error messages?



  • @muswellhillbilly:

    @MakOwner:

    I finally found a tutorial on ELK that got me a working ELK installation, however, I couldn't get logstash to accept remote input from pfSense.

    If you had a working ELK installation, then all you need to do is set your firewall to send the syslog data to it. (Status/Settings + System Logs tab). What was the result when you tried? By that, I mean did you get any error messages?

    Obviously the ELK system wasn't working as it should have been – pfSense simply shows the remote logging host as down.
    What would be the first place to look for issues on the ELK side? In logstash or Kibana? or some system setting on the server where it ran?
    I poked around in the error logs I could easily find and saw logstash restarting, but no indications other than that.

    Given that I know nothing about ELK and don't have a lot of free time at the moment to learn it, I'm looking for something a bit more intuitive to use and troubleshoot.
    .



  • @MakOwner:

    Obviously the ELK system wasn't working as it should have been – pfSense simply shows the remote logging host as down.

    Before you trash the ELK server, may I ask if you either have a firewall operating between your ELK server and your pfSense machine, or whether you have the firewall service running on your ELK server? From the command-prompt you can run 'iptables -l' to get a list of all the firewall rules running on the ELK system. If you do, try running 'service iptables stop' and see if that solves the issue.

    I don't know what your network is like - whether your ELK server is running on the same internal network as your PFS, for instance - but assuming the ELK is on the same network as the LAN side of your PFS you ought to be ok disabling the firewall on the ELK.



  • @muswellhillbilly:

    @MakOwner:

    Obviously the ELK system wasn't working as it should have been – pfSense simply shows the remote logging host as down.

    Before you trash the ELK server, may I ask if you either have a firewall operating between your ELK server and your pfSense machine, or whether you have the firewall service running on your ELK server? From the command-prompt you can run 'iptables -l' to get a list of all the firewall rules running on the ELK system. If you do, try running 'service iptables stop' and see if that solves the issue.

    I don't know what your network is like - whether your ELK server is running on the same internal network as your PFS, for instance - but assuming the ELK is on the same network as the LAN side of your PFS you ought to be ok disabling the firewall on the ELK.

    I thought I had disabled the firewall on the ELK setup, but it won't hurt to double check.

    Network between pfSense and the ELK VM is a flat class B.  Network adapter in the VM is bridged.


Log in to reply