TUI for viewing and analysing OPNsense filter/firewall logs

[allddd]

Hi everyone

Since I couldn't find a simple way to quickly analyse filter logs, I've been writing a TUI in Go for this over the past few months. It's come a lot further than I first expected, so I decided to share it in case anyone else needs something like this.

It's called opnsense-filterlog and it's basically a TUI similar to a pager like less in terms of navigation, but with color output and search/filtering features that are better suited for firewall logs. The filter syntax is similar to tcpdump and pretty simple, but still lets you filter out all log entries you (don't) want to see, e.g.:

(src 192.168.1.1 or src 192.168.1.2) and action block and not proto udp

It's a simple binary with no dependencies that runs on OPNsense itself. I tried to make it as memory and resource efficient as possible, so it should be able to handle huge log files, even on low-spec devices.

In case anyone is interested, there is more documentation in the repo: https://gitlab.com/allddd/opnsense-filterlog

Figured I'd share this here, maybe it'll save someone a bit of time digging through logs.

[patient0]

Thanks for posting the viewer, I gave it a go and do like it.  I like the navigation in the TUI.

If I could have a wish :) or two:

• my screen is quite small (1280x800) and not all columns fit on the screen. It would be helpful if I could scroll horizontally with e.g. either the left/right arrow keys and/or 'h'/'l' (like in vim).
• right now filtering for 'proto ip6' doesn't show any results. But filtering for 'proto ip' shows only the ip6 traffic. I would prefer if 'proto ip' would show the ipv4 entries and 'proto ip6' the ipv6. Maybe even a shortcut like in 'pftop' 'ip' and 'ip6' showing the ipv4 and ipv6 entries.

[allddd]

I'm glad you liked it :)

my screen is quite small (1280x800) and not all columns fit on the screen. It would be helpful if I could scroll horizontally with e.g. either the left/right arrow keys and/or 'h'/'l' (like in vim).

This is already on my todo list because, even with larger screens, it's an issue if the terminal is not running in fullscreen mode, which is often the case. I even have a bit of code for this in a local branch, but I haven't really decided what would be the best way to do this.

One approach would be to dynamically truncate the columns based on window size, but that would cause an issue on smaller screens where you could not see part of the date, IP, etc., which isn't ideal.

Another approach, as you mentioned, would be to implement horizontal scrolling. This would be more tricky to implement and might not look as good, but at least it would not cut off parts of IPs or other fields.

right now filtering for 'proto ip6' doesn't show any results. But filtering for 'proto ip' shows only the ip6 traffic. I would prefer if 'proto ip' would show the ipv4 entries and 'proto ip6' the ipv6. Maybe even a shortcut like in 'pftop' 'ip' and 'ip6' showing the ipv4 and ipv6 entries.

Currently, it is not possible to filter based on IP version, but adding this as an option would be easy. Documentation on the filter.log format:

Code Select Expand

IPv4
====

[Packetfilter], ipversion, tos, ecn, ttl, id, offset, flags, protonum, protoname, length, src, dst

The protonum/protoname order is reversed compared to IPv6.

IPv6
====

[Packetfilter], ipversion, class, flow, hoplimit, protoname, protonum, length, src, dst

The protonum/protoname order is reversed compared to IPv4.

The proto filter is used to filter by protoname. The reason you get any results with a filter query such as proto ip, is because some protocol names contain ip* (e.g. ipv6-icmp) and the value does not have to be an exact match. To implement this, I would either have to abuse the proto keyword or add a new one used specifically for matching the ipversion field. The latter option would probably be less confusing.

If you have a Gitlab account, feel free to open an issue if you notice any bugs or have suggestions.