Http TLS/SSL Navigation logs - suricata or web proxy

[Nicola Bonavita]

Hi, I need to record the browsing logs of my users.

I already have the firewall and dns logs but I would like to record the http and https logs in case they commit something illegal.
I already have a syslog server and the logs are recorded in accordance with the law.

I have three questions:

1. I read that suricata provides custom logs (dns, http and TLS / SSL) that must be activated in its configuration file (ex. https://suricata.readthedocs.io/en/latest/output/custom-http-logging.html) but I don't see the possibility to activate them from the opnsense gui. Is it possible to somehow use this suricata feature? Is there a reason why this option is not available or can I try to contribute by adding it using pr?

2. If suricata cannot be used, what is the best way to record user browsing (navigation) logs? I guess I need to use a transparent web proxy but how can i get TLS/SSL logs without configuring certificates or showing users a man in the middle warning?

3. What are the best practices in this area?

Thanks for your availability, greetings.

[rman50]

You can add permanent Suricata custom configuration settings that are not available in the GUI plugin to /usr/local/opnsense/service/templates/OPNsense/IDS/custom.yaml. There should be a sample file in that directory to use as a starting template.

Sensei (Zenarmor) can also log all HTTP and HTTPS connections as well as DNS. It can be configured to store its data in an external Elasticsearch database (or local if the hardware is good enough) so you can run whatever analytics you want on the data with Kibana in addition to the reporting it provides. It can also block content based on categories and security threats.

There are also other tools like Zeek (formerly Bro) and Packetbeat (from Elastic) that can capture that level of information. Zeek is available in the community repository for OPNSense (https://www.routerperformance.net/opnsense-repo/).