Hi all
How do you visualize the log information of all modules (Firewall, IPS, Proxy, Antivirus, Sensei, other security features)? Is there an easy way without having dedicated log servers and tools?
Wouldn't it be nice to have those information at leas locally in OPNsense "centralized" and visualize related alert information in the Dashboard (e.g. few KPIs like total number of alerts, unseen alerts, alerts per device etc.) and a filterable detail table?
In my point of view, analyzing alerts is currently really decentralized per plugin (and even there you can have more than 1 log) so that monitoring is a pain, not?
You'd need a SIEM system for this (with centralized logging).
Putting this locally would consume too much ressources ...
Agree with SIEM - if we talk about more than 1 appliance.
I'am not talking about complicated drill-down reports, cross-comparisons or automated reaction (protection mechanisms) - although it would be nice. Just displaying all events in a centralized table / widget (e.g. based on syslog). On lowest level, it can also be dedicated widgets per service to display alert info in a similar design whereas you can arrange those by yourself.
Currently, widgets for IPS, Proxy, ICAP Antivirus are missing and the one for Sensei is in a total different design compared to the one from the firewall (the widget for the firewall is the best in my point of view because you can config the update frequency and filter to see the "blocked" only). If all widgets would be available and more aligned, you can customize a useful dashboard.
+1
Agree this would be nice.
Wouldn't have to come with bells and whistles just a central place where all comes together in simple table views with some basic filtering capabilities.
This would make daily due diligence convenient for the average user that may not want to invest the time to setup and maintain an additional ELK server.
https://github.com/opnsense/core/issues/4065
Comment here