Log Https domains connections

Hello,

I use Ipfire in my company since 10 years and we really love work with this system.

We have an internal rule which allows all users to use internet access without any locks.

But we still want to follow the uses made in order to make our users aware of internet security.

This is why I would like to be able to have the internet access logs of the sites in https, not all the URLs but only the domains consulted.

Is this possible by keeping a transparent proxy?

If not, is there another solution even outside Ipfire?

Thank a lot for all your work and help

Well I’d say DNS is your friend, however if you only want to trace browser usage you will need a proxy with monitoring or correlate all port 80/443 to the DNS requests. You can also log/monitor all GET requests, this is typically browser traffic.

I’m personally going for the DNS approach, since it gives me all outbound traffic in the form of domains rather than URLs. I load those into my ELK stack for monitoring and further processing.

I had looked into this from an unbound perspective, this wasn’t super easy. You’d have to log all queries and ship that to your data lake (plus ingest everything). So I went for the upstream Umbrella (OpenDNS) ingestion pipeline (already in FileBeat).

Be aware that any mapping to IP and IP mapping to users will require their consent. Not sure what unbound logs exactly, but with Umbrella I can aggregate on my internal or external IP.