Suggestions to how log states



  • Hi to all. For law requirements I need to log connection that passes through my pfSense that act as router and NAT with this information:
    Date&Time - Private IP (LAN) and port - Destination IP and port. On linux conntrack can perform this works, on pfSense what I could use?



  • You can send the firewall logs off to a remote syslog server. I use ELK for this, though there are plenty of syslog servers which will do the same job. http://www.networkassassin.com/elk-for-network-operations/


  • LAYER 8 Global Moderator

    What country are you in??  What is the point of logging the private IP..  Do you log who has what specific private IP and specific times?

    This is just such 1984 world type of requirement that its not even funny…



  • In the UK the Govt passed a new consumer rights law a short while ago which amongst other things, if an individual gets infected with a malware/virus or hacked from a legitimate online provider, beit buying and selling software online, streaming movies like from Amazon or netflix, even simply accessing a website to do some online shopping, the consumer can now seek compensation over and above just get the problem rectified. I suspect its in case they cant get the spooks charter through parliament which basically gives GCHQ to hack UK based individuals and companies and increases the logging etc.

    In other words its in the interests of all UK consumers to have good systems to detect any problems to seek compensation, and its in the interests of anyone doing business online in the UK to make sure their systems dont get hacked and unknowingly become a distributor of any malware/viruses etc etc.

    The UK has always been 1984, its probably one of the things it leads the world in along with hacking and lying. I've always been of interest to the spooks because my uncle was the first person to bring a modem into the UK and even BT was using his trademark Voyager on their routers at one point, hence why I see so much hacking on my systems.



  • For my part, monitoring the network in this way is to keep a lookout for malware outbreaks. Particularly if they create so much traffic they start to have an effect on the rest of the network.

    http://www.gfi.com/blog/reasons-monitor-internet-usage-organization/



  • @muswellhillbilly:

    You can send the firewall logs off to a remote syslog server. I use ELK for this, though there are plenty of syslog servers which will do the same job. http://www.networkassassin.com/elk-for-network-operations/

    WOW! Looks really wonderful  ;D it can also store this data? I will try this software thx  ;)
    BTW this is new for me! I'm already using a remote syslog for store firewall log, I did not know that pfSense through syslog send also this data states.

    @muswellhillbilly:

    For my part, monitoring the network in this way is to keep a lookout for malware outbreaks. Particularly if they create so much traffic they start to have an effect on the rest of the network.

    http://www.gfi.com/blog/reasons-monitor-internet-usage-organization/

    Yeah, i really quote this. One day, casually, I saw too much states in pfSense home and the most of that was on a customer that was opening thousand connection with destination port 3389 and incremental destination IPs. Obviusly it was a BOT fault on a windows xp "server"  :o

    @johnpoz:

    What country are you in??  What is the point of logging the private IP..  Do you log who has what specific private IP and specific times?

    This is just such 1984 world type of requirement that its not even funny…

    I'm in Italy. I have to be able to demonstrate that a particular illegal internet activity that may be performed by customer through Public IP can be "translated" into the corresponding Private IP.

    Pls sorry for my english  :D



  • After some time I have finally installed my ELK log system ( I need only to adjust the appearance ) and obviously  it doesn't log all traffic by default (states are not sent trough syslog) but you need to mark in every firewall rules "Log packets that are handled by this rule".
    I know that this thread is old, but it can be useful for those looking for logging states know this.
    PS: ELK seems hard to configure, but the result seems to be amazing  ;D


Log in to reply