Is there any way to email the firewall logs each night (also system/snort logs)? I know there is the mailreport add-in, but I don't see that it does what I'm looking for. Is there a way to do this or do I need to write a script for it? Thanks.
Email reports has also capability to sending log files or parts of it, but doesn't include package logs. Maybe you can hack /etc/inc/mail_reports.inc to incude what you need.
The system log has been coming through blank for me, but I guess it's from the filter I have. If I remove it, it comes through clean. I'm not sure when I put that on there. The firewall log is too detailed and is mostly noise. Any way to get it to display more like the web page log in normal view? I'd like to add a filter to only show Blocked and Rejected packets sent to the WAN IP, but I'd be happy if we could just get the normal view.
Seems like reporting is the big drawback of pfSense. It does great stuff on par with the big guys. The logs aren't perfect, but they are adequate. I wish it were better about reports.
Edit: I would like to add that 2.2 does a better job than 2.1 did at the firewall log. I love the graphs and would like these to be just as nice. With 2.2 each event is on 1 line instead of 7 which considerably cuts down space. Also, adding the word "block" or "reject" helps narrow that down. Anyone know how to add both at the same time? I don't have any rejects to apply with so I don't know if there is additional data. Would it be "block; reject" or something like that? Or can it only have 1? If only 1, could I do a negative such as "!pass" to filter those out? Thanks!
Edit2: I've just created 2 different logs on the report, each with a different filter. If there is no way to do multiple filters on a log, this should work fine. I'm noticing that this is moving away from firewalling and more to logging so I understand if this gets moved.
You can use ".*" between regular expressions for a logical AND interconnection and "|" for OR.
For instance, my WAN is on port igb1 and I want to filter all block and reject entries for this interface, the filter looks like: