Event log seems to not be working properly


#1

Device: Peplink Balance 380
Firmware: 5.4.9 build 2573

We experiencing a lot of spammers lately trying to contact our mail server. We limited inbound and outbound access trough the firewall and this seems to help. However the event log suddenly seems to stop logging.
We saw a lot of blocked attempts many times an hour and for up to 24 hours. Then it suddenly stopped. We find it strange that it stops just like that and there are no new entries for over 2 hours.

Applying changes is being logged. We find it very unlikely they just stopped trying to contact our mailservers. We experienced it also yesterday that the log stopped and then later on came back.

/edit: and just as this has been posted for a few minutes the log shows some new attempts.


#2

Please do a packet capture on the WAN ports to confirm attempts are still coming in and if they are not being logged then you can open a support ticket for further investigation:
http://cs.peplink.com/contact/support/


#3

Device: Peplink Balance 380 HW5
Firmware: 6.3.1 build 3471

Was there a resolution to the issue you were seeing with the Event Log? I am experiencing something similar. I created an “Explicit Deny” rule at the end of my Inbound Firewall Rules and have “Event Logging” enabled on this rule (sent to a syslog server). The purpose of this is to know about unauthorized attempts on our public IPs. To test, I disable a defined port rule for HTTP access to a public camera, then test from the outside. Sure enough, a log is created as expected. HOWEVER, if I try to access an UNDEFINED PORT (not present in Port Forwarding or Inbound Firewall list), no log is created. For example, instead of trying to hit HTTP access, if I try to hit FTP access, no log is created.

Please assist.


#4

Hi smammen,

This is expected. Since Port Forwarding for FTP is not there, packet will be drop. For the HTTP you tested, since Port Forwarding for HTTP is there, inbound HTTP request was blocked by firewall (the “Deny Any Any” rule that you defined). Then this event logged by Balance router.


#5

Thanks TK - How then do I log the “packet drop” situation? We want to see unauthorized attempts on our WAN.


#6

Hi smammen,

You need long term firewall logging or temporary need it for troubleshooting purpose?


#7

@TK: Long term/live look-in logging. We are accustomed to seeing these type of logs in other manufacturers’ event logs and for an Internet facing device, we just expected the same for the Balance router.


#8

Hi smammen,

We recommend turning on firewall logging for troubleshooting purpose only. If the log is important for you, you may consider IPS for your case.


#9

“turning on firewall logging” - where do I turn this on to capture the packet drop condition?
“may consider IPS” - are you referring to the Peplink IPS feature? I do not see any logging options associated with that.


#10

Hi,

As mentioned, we recommend turning on firewall logging for troubleshooting purpose only. Not for long term logging.

I mean you may consider 3rd party IPS if logging is important for you.

Thank you.