Recommendation for analysing the Firewall Logs

[binaryanomaly]

Hi,

My setup is quite fresh and I'm in progress of configuring the firewall rules etc. Therefore it's quite important to often consult the log to check what is being blocked that shouldn't etc.

What is the best/recommended way to analyze the firewall log to i.e. see what connection attempts have been blocked, how many, etc.

I find the live view quite good but it's only a live view and data is refreshed quite fast, means entries are often gone before I had a chance to inspect them. On the other I'd just want to have a summary of blocked connections etc. that I can verify at the end of the day or so. The plain log is a bit difficult to process visually.

How do you guys handle this? What additional tools, etc. do you use?

Thanks


PS: Mostly interested in simple, low effort solutions. I'm not sure I want to take the extra effort to maintain an ELK installation.

[spetrillo]

I went down the ELK rabbit hole...and yes it is quite deep!

[deputycag]

I have been using papertrail.  Seems easy and I can get away with free version.  Also allows me to get email alerts when IPS blocks something.

[binaryanomaly]

Thanks both for your answers.

Seems like there's only the choice between the very limited internal facilities or going down the ELK or other external solution rabbit hole, where I am still not sure I want to go.

[lfirewall1243]

Graylog is very good as well

[banana999]

Check out PF ELK https://github.com/3ilson/pfelk

[binaryanomaly]

Thanks all for the replies.

I have for now decided to give sensei a chance and rely more on it for the management of Application Level client traffic. It also comes with more advanced logging and monitoring capabilities built-in.

https://wiki.opnsense.org/vendor/sunnyvalley/sensei.html

That said it is not open source and the more advanced features are paid which I'm ok with.