I have recently had cause to pay a little more attention to the logs generated by my home firewall. While I use SARG for the day-to-day analysis, I needed a quick and easy command to fire at my squid logs to see what a particular device had been up to. This entry is by no means an exhaustive list, but it will serve as a handy reminder to me as to what I did to pull the data I needed to look at.
After SSHing into the pfSense firewall, the following command will show me the activity on the device;
tail -f /var/squid/logs/access.log | grep <ip-address>
of course, if I want to dump ALL the data from the device, I can just as easily run;
cat /var/squid/logs/access.log | grep <ip-address> > somefilename.txt
That’s it, happy to hear from you if you have any stronger command-line Fu that I should look at throwing at the logfiles.
2 responses to “Looking at logs…”
If you want something that can do correlation, try https://simple-evcorr.github.io/
If your prefer something none command line based, and overall have less than 500MB worth of logs to centrally store, then Splunk is free.
If you feel like building your own, ELK (https://www.elastic.co/webinars/introduction-elk-stack) is the open source Splunk equivalent tool that many big players are using.
Fantastic, thanks Kiw.. I’ve used Splunk briefly, but nothing like at the level of Terry’s Splunk Fu. Correlation would certainly be fun, but may be over kill for the device traces I’m running at the moment.