I am just starting out with OPNsense. Up until now, I have been using an old ISP-supplied router/firewall. I currently have OPNsense installed on a tiny Intel N3160 device. It is connected to a Zyxel modem in bridge mode. I have spent the past two weeks, getting to grips with networking terminology and concepts, tweaking my settings, and getting IPv6 working properly. With the exception of some custom Xbox rules, I am using the default 25.7 firewall configuration. I have a flat network right now, but I have just purchased a managed switch to set up some vLANs. I am running CrowdSec/Zenarmor.
I would like some advice on what to do with my firewall logs. At the moment, I am inspecting them in the Web GUI, scouring them for hints about misconfiguration (or worse). What should I be doing with the logs? Should I save them off-host? I was thinking about setting up a syslog server. I was given a Synology NAS that could possibly be used for this. I'm not entirely sure. Alternatively, I could upgrade my OPNsense device and use the N3160 for log storage.
Also, what is the best way to capture analyse logs. And what would be the best solution for a home user like me? Any advice or suggestions would be much appreciated. Thanks :)
Do you have a home lab besides OPNsense? Capacity to run a VM with 16 G of memory, anywhere internal? I have become rather fond of ElastiFlow for traffic analysis.
Quote from: Patrick M. Hausen on August 27, 2025, 08:14:12 PMDo you have a home lab besides OPNsense? Capacity to run a VM with 16 G of memory, anywhere internal? I have become rather fond of ElastiFlow for traffic analysis.
Thanks for the suggestion. No, I don't have a home lab, unfortunately, but I suspect I will end up with one. As for machines that can run VMs 24/7, not really - I only have a M4 MacBook Pro and a gaming PC. I could get a mini-PC that could run VMs. What would be the host OS?
Elastiflow looks interesting. There's a free Basic version, too. Nice. I'd probably need to get another switch. I don't think the Ubiquiti switch that I picked up supports SNMP.
OPNsense can deliver netflow data to ElastiFlow without support by the switch. And OPNsense supports SNMP, too.
Yes, the basic license is absolutely sufficient. Best host platform for a hypervisor today: probably Proxmox. Community edition free or around 100 €/$ per year for a subscription.
Thank you so much for the guidance. I'll start with getting something to run Proxmox on. I do have an old MacBook Pro that I could use as a stopgap possibly. It's a 2019 model, Intel i9 with 32GB RAM. If the noise of the fans was anything to go by, it won't be economical to run 24/7. Anyway, thanks again!
I think a unified syslog would be a good idea if you plan on expanding your network and starting out with a homelab.
Even taking opnsense in isolation, a unified log makes it easier to poke around.
I like Graylog. Running it in a proxmox lxc with 4GB RAM, it copes perfectly well with my small network. Very helpful in tracking down problems. I am not sure how useful it is in analysing netflow data for example. But for regular syslog it is flexible, has the tools to extract/enrich logs, and handle unusual log formats you're likely to encounter from time to time.