Beginner’s question about logging. How? What? Where?

Started by scrappydoo, August 27, 2025, 07:31:49 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 27, 2025, 07:31:49 PM
I am just starting out with OPNsense. Up until now, I have been using an old ISP-supplied router/firewall. I currently have OPNsense installed on a tiny Intel N3160 device. It is connected to a Zyxel modem in bridge mode. I have spent the past two weeks, getting to grips with networking terminology and concepts, tweaking my settings, and getting IPv6 working properly. With the exception of some custom Xbox rules, I am using the default 25.7 firewall configuration. I have a flat network right now, but I have just purchased a managed switch to set up some vLANs. I am running CrowdSec/Zenarmor.

I would like some advice on what to do with my firewall logs. At the moment, I am inspecting them in the Web GUI, scouring them for hints about misconfiguration (or worse). What should I be doing with the logs? Should I save them off-host? I was thinking about setting up a syslog server. I was given a Synology NAS that could possibly be used for this. I'm not entirely sure. Alternatively, I could upgrade my OPNsense device and use the N3160 for log storage.

Also, what is the best way to capture analyse logs. And what would be the best solution for a home user like me? Any advice or suggestions would be much appreciated. Thanks :)
August 27, 2025, 08:14:12 PM #1
Do you have a home lab besides OPNsense? Capacity to run a VM with 16 G of memory, anywhere internal? I have become rather fond of ElastiFlow for traffic analysis.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 27, 2025, 09:28:56 PM #2
Quote from: Patrick M. Hausen on August 27, 2025, 08:14:12 PMDo you have a home lab besides OPNsense? Capacity to run a VM with 16 G of memory, anywhere internal? I have become rather fond of ElastiFlow for traffic analysis.
Thanks for the suggestion. No, I don't have a home lab, unfortunately, but I suspect I will end up with one. As for machines that can run VMs 24/7, not really - I only have a M4 MacBook Pro and a gaming PC. I could get a mini-PC that could run VMs. What would be the host OS?

Elastiflow looks interesting. There's a free Basic version, too. Nice. I'd probably need to get another switch. I don't think the Ubiquiti switch that I picked up supports SNMP.

August 27, 2025, 09:35:20 PM #3
OPNsense can deliver netflow data to ElastiFlow without support by the switch. And OPNsense supports SNMP, too.

Yes, the basic license is absolutely sufficient. Best host platform for a hypervisor today: probably Proxmox. Community edition free or around 100 €/$ per year for a subscription.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 27, 2025, 11:29:28 PM #4
Thank you so much for the guidance. I'll start with getting something to run Proxmox on. I do have an old MacBook Pro that I could use as a stopgap possibly. It's a 2019 model, Intel i9 with 32GB RAM. If the noise of the fans was anything to go by, it won't be economical to run 24/7. Anyway, thanks again!
August 28, 2025, 02:16:24 PM #5
I think a unified syslog would be a good idea if you plan on expanding your network and starting out with a homelab.
Even taking opnsense in isolation, a unified log makes it easier to poke around.
I like Graylog. Running it in a proxmox lxc with 4GB RAM, it copes perfectly well with my small network. Very helpful in tracking down problems. I am not sure how useful it is in analysing netflow data for example. But for regular syslog it is flexible, has the tools to extract/enrich logs, and handle unusual log formats you're likely to encounter from time to time.
Print
Go Up Pages1
User actions