Monitoring web traffic. Syslog?

[dnilgreb]

It is time for a new project, and I could really use som help getting started.
On my primary NAS (spec in signature) I want to setup something to monitor network traffic on my LAN. The purpose is to keep track of which device visits what websites. And the next step might be to block specific sites. This might seem overly ambitious for a home setup, but I need to keep track of what my kids are doing on their devices.

So, being new to all this I started on google, and got the impression that a syslog server is what I need. So I now have a Greylog server running in a standard jail, and I have my router (Ubiquiti UniFi USG 3P) send its log to the Greylog via the Remote logging feature in the UniFi web interface.
The content is showing up, but it doesn´t contain the info I´m after.

More time spent on google, and it seems I need some sort of proxy to do what I am trying do to. Guess I could set that up in another jail?
Could anyone give me any pointers on best practice here? Is there something like a how-to guide?
Will I have any use for my Graylog server, or should I just remove that jail?

I don´t know if I should provide any more info, but if someone could help me I´d really appreciate it. As always :)

 

[sretalla]

More time spent on google, and it seems I need some sort of proxy to do what I am trying do to. Guess I could set that up in another jail?

NginX would work well as a reverse proxy.

You could use greylog to give you visibility of what's logged by nginX (https://programmer.group/passive-way-of-collecting-nginx-logs-by-graylog2.html)

It may be more helpful to have them in the same jail, but you can also do it separately either using something like logstash or a common mounted dataset for the logs between the jails.

 

[dnilgreb]

NginX would work well as a reverse proxy.

Interesting. I thought a reverse proxy was for handling incoming traffic. I already have one of those, for my Nextcloud / Collabora install.
Now that I want to monitor websites visited, it´s outgoing traffic that´s interesting, isn´t it? Or should I somehow use my exisiting reverse proxy?

And the big question: how do I do it? :)

 

[sretalla]

OK, so you don't want to know who is visiting the websites you host, rather who at your house/location is visiting what websites?

If that's the case, indeed a forward (transparent) proxy would be helpful to do that (depending on how creepy you want to be).

Depending on your situation, you may find it helpful to look at using something like pfSense in front of your Ubiquiti gateway and using the Squid Transparent proxy to intervene and monitor web traffic from all your clients.

You could also go in a more simple direction and replace your DNS with something like AdGuard or PiHole and use those solutions to monitor sites visited in another (less intrusive) way.

 

[dnilgreb]

You could also go in a more simple direction

Yes please.

I´ll look into PiHole.
Thanks!

 

[dnilgreb]

Ok, I got PiHole up and running in a Ubuntu VM. I set tha DHCP Name Server to the IP of the PiHole, which seems to do the trick.
Now I would like the logs easier to search in / handle. Could I have any use for my Graylog here, or could I make a dashboard or something in the PiHole to maybe group logs per local hostname or something like that?

 

[sretalla]

Now I would like the logs easier to search in / handle. Could I have any use for my Graylog here, or could I make a dashboard or something in the PiHole to maybe group logs per local hostname or something like that?

the NEW Marketplace

Find, explore, and try out Graylog add-ons created by Graylog community members and enthusiasts. Plugins, extractors, content packs and GELF libraries are available as well as guides and documentation.

marketplace.graylog.org

Looks like that's what you need...

Maybe in conjunction with something like this:

pi-hole / dnsmasq pipeline rules to use with graylog pipeline rules

pi-hole / dnsmasq pipeline rules to use with graylog pipeline rules - dnsmasq_clean_message

gist.github.com