sendnrw/netbird-docs
2
0
Fork 0
mirror of https://github.com/netbirdio/docs.git synced 2026-04-22 02:16:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

Improve traffic events logs

Browse Source
This commit is contained in:
braginini
2025-06-19 10:34:01 +02:00
parent 755df08fb0
commit 89ed145aef
1 changed files with 22 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
src/pages/how-to/traffic-events-logging.mdx
View File

@@ -35,7 +35,7 @@ NetBird would log the blocked event on the peer that refused the connection.
<img src="/docs-static/img/how-to-guides/traffic-events/p2p-traffic-events.png" alt="traffic-events-p2p-diagram" className="imagewrapper-big"/>
</p>
#### Successful P2P Connection Events Correlation
#### Successful P2P Connection Events
NetBird helps you better understand connection flows by correlating related events and presenting them in a clear, organized manner.
@@ -53,7 +53,11 @@ On the other side, the destination peer `server` receives the connection request
following the disconnection from `Alice`. Since `server` allows the connection, the log includes the policy `IT Admins to Servers`
that authorized the connection over the `ICMP` protocol.
#### Blocked P2P Connections Events Correlation
<Note>
Use the `P2P` filter in the table to view only peer-to-peer connection events.
</Note>
#### Blocked P2P Connections Events
If a connection is refused, NetBird logs the blocked event on the peer that denies the connection, in this case, `server`.
The initiating peer `Alice` will still report the connection attempt but won't be aware that it was blocked.
@@ -67,7 +71,7 @@ meaning all `HTTP` requests are intentionally not allowed. The screenshot below
### Peer-to-Network Resource Connections
When a peer connects to a [network resource](/how-to/networks#resources), NetBird captures and logs the traffic
events for that connection on the peer that initiated the connection, and on the routing peer that connects the peer to
events for that connection on the peer that initiated the connection, and on the [routing peer](/how-to/networks#routing-peers) that connects the peer to
the internal network resource.
A slightly modified example of the CRM server connection scenario would be if instead of running the NetBird client on the CRM server,
@@ -79,28 +83,38 @@ routed the connection to the CRM server. If the connection was blocked, NetBird
<img src="/docs-static/img/how-to-guides/traffic-events/routed-traffic-events.png" alt="traffic-events-routed-diagram" className="imagewrapper-big"/>
</p>
#### Successful Peer-to-Network Resource Events Correlation
#### Successful Peer-to-Network Resource Events
The screenshot below illustrates a successful connection from `Alice` to the network resource `CRM` running in the AWS VPC.
The traffic is routed through a routing peer, which logs the connection event and reports it to the NetBird servers.
The access is permitted by the policy `IT Admins to AWS Servers`, which allows connections over the `TCP` protocol on port `5432`.
Note the `ROUTER` column in the table, which identifies the routing peer responsible for routing to the internal network resource.
You can filter such events by using the `Routed` filter in the table.
<p>
<img src="/docs-static/img/how-to-guides/traffic-events/network-resource-succesful-connection.png" alt="network-resource-succesful-connection" className="imagewrapper-big"/>
</p>
#### Blocked Peer-to-Network Resource Events Correlation
<Note>
Use the `Routed` filter in the table to view only peer-to-network resource connection events.
</Note>
#### Blocked Peer-to-Network Resource Events
In the event of a blocked connection, the initiating peer logs the connection attempt, while the routing peer records the blocked event.
The screenshot below demonstrates this behavior: the routing peer blocks a connection to the network resource `CRM` because
the policy `IT Admins to AWS Servers` does not permit connections over the `HTTP` protocol on port `6432`.
You can see multiple blocked events from the routing peer, which indicates that the initiating peer `Alice` attempted to connect multiple times
in one TCP session, but the routing peer blocked all attempts.
<p>
<img src="/docs-static/img/how-to-guides/traffic-events/network-resource-blocked-connection.png" alt="network-resource-succesful-connection" className="imagewrapper-big"/>
</p>
<Note>
For all the examples above, we used the `nc` command to initiate the connection to the CRM server from the peer `Alice`.
E.g., `nc -v crm.netbird.cloud 5432`.
</Note>
## Enabling Traffic Events Logging
Traffic events logging feature is disabled by default. To enable it on the NetBird dashboard, navigate to `Settings > Networks`.
@@ -121,12 +135,12 @@ at the kernel level. Be aware that enabling this option may lead to higher CPU u
## Log Retention
While in experimental mode, logs are retained for **7 days**.
While in experimental mode, logs are retained for **seven days**.
Additionally, please note that the current API returns a maximum of **50,000 events**.
We are actively working on expanding this limit in the coming days to support larger datasets and increased usage.
## Report rate
The events might take up to 10 minutes to become available via API and Dashboard. For some TCP connections, the full event cycle might take longer, depending on OS settings and connection termination.
The events might take up to **ten minutes** to become available via API and Dashboard. For some TCP connections, the full event cycle might take longer, depending on OS settings and connection termination.
## Enable Traffic Events Streaming to SIEM Systems