The issue I am facing:
I am wanting to ask where the files are that show recent activity in/on PiHole.
The sites visited, etc.
Export them and just look at what's been going on.
Checking no rogues are in there.
Details about my system:
RasPi 2 MOdel B Rev 1.1
Buster
I understand they are in /etc/pihole/..... and the two I may be after are:
pihole-FTL.db and gravity.db.
But not sure.
Someone - please.
Well, unless you are able, and willing to query the database, you can get most of the information you desire from the Pi-hole Dashboard web interface.
If you really need to access the database for what you want, the .db files you mention are SQLite3 databases, so you will need a tool to explore the structure and query data.
I get everything I need for my purposes from the dashboard.
I am asking because I am kinda new to all this.
I get it that the Dashboard displays things nicely. No argument.
But it (to me) may hide things you want to see/know.
You get lots of requests to the reverse DNS lookup address.
Lots to.... google.
But there is ONE little guy hiding as it got only ONE hit and so is obscured by the graphs.
I want to parse the look ups and see the main ones done - just to be sure - but any anomalies should also be shown.
So, if you have a site with only ONE hit: Who was it? Is it happening every day (or regularly enough that it is/could/may be) malicious?
Unless you look through the pages and pages of log data and manually parse each one....
It seems difficult.
Passing it through a program that notes sites and builds a trend of them: you would quickly see any rogue ones.
Yeah, I need a life.
If you don't know how to use SQL commands to read SQLite3 database, you can use tools like this one:
What do you mean? There is nothing hidden.
Everything stored in the database is processed or generated by FTL and Pi-hole core.
Feel free to read the source code.
Ok, my fault, sorry.
It isn't HIDDEN, but it is .... obscured (?) because it is only happening now and then.
You browse. Cookies, trackers etc.
They are all shown in the log file and there.
But when you have........ 500+ tabs open there are a lot of things happening per session.
Looking through all the sites, and all their trackers is/can be painful.
Now, I shall say that being OWNED and being Hacked are two different things.
OWNED is when you are basically .... owned by a third party and all your data is known to them.
Hacked is when you have nasties living on your machine that now and then report home to their parents with data you may not want to share.
If they are happening all the time, you would see these sites clearly in the log files.
But if they are now and then you may well overlook them.
So (yes, via external programs) you ..... index the data and look for rogue ones that only happen now and then, you can better find/see/identify this sort of stuff.
So, be being bored, I thought it would be nice to try to look at the data in a more use friendly way
It is just a passing (? maybe ?) interest and an excuse/reason to explore the world of databases and how to get information from them.
(Second post only to not keep editing the one before)
Ok, that may be bad example.
Another one - which may be better - I hope.
You go to a site and it starts tacking you. (Ok, what ever that means but please indulge my stupidity for now)
Over the weeks, it is sending tracking data back to .... whom ever. Unknown to you.
You have never visited the sites where it is sending it's data before that date/day.
The logs look normal.
Going through the data a sudden start of a new URL would be detected and you notified.
If it is one you know, all well and good.
But as you don't go to that site, it raises alarms to you and you can then block that site.
Is that a better example/explanation of my fears?
Have a look at auditing:
Wow, that looks like fun.
Ok, I'll buzz off and see what that gives me.
Forgive me, but I'm not ..... seeing things as shown on the link.
Yeah, ok, I am also a bit behind on updates/versions.
But not years.
The animated pictures are disjointed - for me - in how to get TO them.
This is all I see when I open the audit log link.
Where as on the link there are these amazing graphs etc.
Ah....
Maybe this:
[✓] Update local cache of available packages
[i] Existing PHP installation detected : PHP version 7.3.31-1~deb10u7
[✓] Checking apt-get for upgraded packages... up to date!
[i] Checking for / installing Required dependencies for OS Check...
[✓] Checking for grep
[✓] Checking for dnsutils
[✗] Unsupported OS detected: Raspbian 10
If you are seeing this message and you do have a supported OS, please contact support.
https://docs.pi-hole.net/main/prerequisites/#supported-operating-systems
If you wish to attempt to continue anyway, you can try one of the following commands to skip this check:
e.g: If you are seeing this message on a fresh install, you can run:
curl -sSL https://install.pi-hole.net | sudo PIHOLE_SKIP_OS_CHECK=true bash
If you are seeing this message after having run pihole -up:
sudo PIHOLE_SKIP_OS_CHECK=true pihole -r
(In this case, your previous run of pihole -up will have already updated the local repository)
It is possible that the installation will still fail at this stage due to an unsupported configuration.
If that is the case, you can feel free to ask the community on Discourse with the Community Help category:
https://discourse.pi-hole.net/c/bugs-problems-issues/community-help/
Unable to complete update, please contact Pi-hole Support
No thats the proper screen for the audit logs.
Its explained if you scroll down a bit in the blog:
EDIT: Takes a moment to audit them all at first.
But if new domains appear, they will show for you to inspect and audit.
Is BUSTER still supported? (Semi rhetorical)
(see above error)
It is a RasPi 2.... Not 3. And I don't have a spare 3 just lying around.
The machine does other things too - luckily not too much on hardware - but I've heard that some of the new releases have problems with things.
I haven't really paid much attention to it as it hasn't been a real cause for concern. Until now.
No (but you can install using the environment variable).
No:
$ dig +short versions.pi-hole.net txt
"Raspbian=11,12 Ubuntu=20,22,23,24 Debian=11,12 Fedora=39,40 CentOS=9"
Mine is a:
$ cat /proc/device-tree/model
Raspberry Pi Model B Rev 1
$ hostnamectl
[..]
Operating System: Raspbian GNU/Linux 10 (buster)
No, you don't.
It is not officially supported, but Pi-hole will probably work in buster.
Well, it has for the past..... couple of years.
So I am not meaning it that way.
Sorry for the confusion there.
What features?
You already have the audit logs feature from that screenshot you've posted.
Ok, I am not familiar with this stuff/part of how things work.
As I explained - I hope - I go to the audit log and get the screen shown.
Opening the link showing all the New features I see lovely animated pictures how you can get graphs of things.
For me, there is the disconnect that it SHOWS you the graphs, etc. But not HOW TO GET THERE.
I make a 2 by 4 look rather smart sometimes.
I would suggest to backup settings with the Pi-hole teleporter, flash the SD fresh with the latest Pi-OS release, install Pi-hole and import the teleporter backup.
In-place (major) upgrades are discouraged by the Raspi foundation.
That link shows MANY screens. You need to scroll the page to see the "audit log" image, but YOU ALREADY POSTED THE CORRECT IMAGE.
This is the Audit Log page:
Thanks.
Yeah.
I did (and got away with) upgrading it from....... Jessie?
I don't know. It is a Poor machine that is sitting there doing other things as well.
(Well, not quite mission critical but up there.)
It would be nice if I could get a new SD card, get it up to speed with this one and TRY BEFORE YOU BUY to see if the new O/S (and things) would work.
I am not too keen to take this one offline to try.
