got a email with someone stating they have several attempted ssh connections to them. they have since firewalled it but sent me the info to let me know. im running edgerouter pro v1.9.0 how do i log this so i can see where its originating from? i found a post stating to just create a outboutd nat rule with logging enabled. i must not be doing this right as when i test it it generates no loggs.
Create a WAN_OUT firewall ruleset, and apply to WAN interface in outgoing direction
-rule1 = allow established/related
-rule2 = allow dest.port==22 proto=tcp , logging enabled
default action accept
This will only log 1st packet belonging to new ssh session, and not overwhelm your log file.
Log in /var/log/messages , but you could use syslog to external server