pflog results by date range?

[dhartnet]

Hi Folks, hoping you can help me. One of our system was compromised, and I wanted to get all the firewall logs, at least current ones. When I ran this:

# tcpdump -n -e -ttt -r /var/log/pflog

The only logs I got stopped at around June 2012. Is there a way to get them for a certain date? Is this above command the correct one to get any and all logs ?? (maybe pflogd stopped at a certain time)? Any help or pointers is appreciated..

 

[SirDice]

Older entries are stored in /var/log/pflog.0.bz2, pflog.1.bz2 and pflog.2.bz2.

 

[dhartnet]

Older entries are stored in /var/log/pflog.0.bz2, pflog.1.bz2 and pflog.2.bz2.

Thanks!!

Trying to get the most recent for like the last month.. I'm guessing my command above was the right one ?

 

[SirDice]

Yes, the most recent entries would be in /var/log/pflog.

Note however, if the machine was compromised it's likely not going to show up in pflog. They came in on some open port (probably a vulnerable web application) and those connections are usually not logged. Most people don't log everything that comes in, check your configuration to see what's actually being logged.

 

[dhartnet]

Thanks again ! It was actually a machine behind the FW that was compromised.
So we wanted to see where any source traffic may have come from.

So if my command above was the correct one, it may have been the pflogd daemon that possibly was down for a while. (It's a self managed lab by other folks, so it's not really monitored until these recent scans). Thanks again for your help.

If you and others can confirm this is my correct command to get everything in pflog, then that's all that I can give them (up until June).. Thanks..

# tcpdump -n -e -ttt -r /var/log/pflog (is this right) ?