Log files?

Comments

14 comments

  • Avatar
    Firewalla

    Not yet.  We have that item on our to-do list.   This is one of the features that we (developers) and a small set of you (customers) feel are important ...  but we just can't justify implementing it, due to its low interest from the majority. 

    2
    Comment actions Permalink
  • Avatar
    Bob O'Hara

    Wouldn't having the log files (and different log levels selectable) make chasing down customer issues easier and more efficient?  As an example, the IGMP issue that apparently is seen with the Blue beta release, but not the production release (even though no changes were made in the IGMP-related code) might be tracked down with a debug-level log.  Normal requests, such as "what rule caused this site to be blocked?" would be easily seen with normal-level logs.

    Just my $0.02.

     -Bob

     

    4
    Comment actions Permalink
  • Avatar
    Aaron

    After a few early hiccups, I'm pretty impressed with how the Firewalla Gold is running, THANK YOU!  I'd like to add my name to the list of who would like to see events (alarms, blocks, flows, etc...) written to logs on the file system for forwarding to ES, Splunk, etc...  Having the ability to send that data elsewhere would improve flexibility for those of us who would like to implement different levels of alerting and monitoring.  

    Along the same lines, anything blocked should be notified somewhere.  I personally don't like the options of anything deemed really bad (by someone?) being silently blocked or monitoring turned off altogether. 

    Thanks!   

    6
    Comment actions Permalink
  • Avatar
    Sajva Halverson

    I have to agree with Aaron, I am a security professional and want to be able to send the log information (alarms, blocks, flows, etc...) to a file and either send it to SIEM or something that can parse the logs ( heck could a txt file) and forward them on to where ever we want.

    Thanks 

    3
    Comment actions Permalink
  • Avatar
    Chris Hewitt

    In our lab, we are sending the Gold logs (system and Zeek) to our SEIM via SCP, SSHFS, and RCLONE. We are close to being able to do it wirelessly.

    See out other posts.

    1
    Comment actions Permalink
  • Avatar
    Sajva Halverson

    Thanks Chris!

    0
    Comment actions Permalink
  • Avatar
    Danny Natale

    @chris Where are the zeek and system logs located?  I'm trying to get those to a logserver.

    1
    Comment actions Permalink
  • Avatar
    Aaron

    In case anyone is still having issues with this, here's how I'm sending my Firewalla Gold Zeek logs to a remote syslog server (at least until the functionality exists within Firewalla).  Disclaimer: I make no claims that I know WTF I am doing.  Do this or similar at your own risk.  I welcome comments/concerns from Firewalla or anyone else.

    First, assuming the logs were rotated within the last minute, this will send the zeek logs to port 514 on the remote syslog server:

    find /log/blog -mmin -1 -type f -exec zcat {} \; | nc -q 5 destination_server 514

    I took mine a step further by appending the firewalla log name to the end like this:

    for l in `find /log/blog/ -type f -mmin -1 `;do zcat $l | sed "s|\}|,\"firewalla_log\":\"$l\"}|g" | nc -q 5 destination_server 514;done

    Next, I added that last line to a new script in /home/pi and set it to run every minute in cron. 

    Hope this helps.

    3
    Comment actions Permalink
  • Avatar
    Quakewalla

    @Aaron, This is perfect and works as expected..

    Thank you! 

    0
    Comment actions Permalink
  • Avatar
    Aaron

    @Quakewalla - No problem - Glad it worked!  I did change one thing recently, as I noticed that I would at times have issues waiting for it to quit after sending, so I tweaked the last command to below to use the -w switch rather that -q, and it seems to be working better (for me, anyway).

    ...| nc -u destination_server 514 -w0;done

    Aaron

    1
    Comment actions Permalink
  • Avatar
    Adrian Moser

    Is it now possible to do the log direct with firewalla ?

    1
    Comment actions Permalink
  • Avatar
    Seaw Yong Kwan

    Yes having the ability to pipe the log entries to an external syslog server would be helpful

     

    2
    Comment actions Permalink
  • Avatar
    andre

    Any luck with sending this data to splunk ?

    0
    Comment actions Permalink
  • Avatar
    Aaron

    It works fine for me using the instructions 4 or 5 posts up. Just make sure you make the cron entry persistent (think those I structions are around here somewhere) or you'll lose it when you reboot

    0
    Comment actions Permalink

Please sign in to leave a comment.