OPNsense Forum
Archive => 21.1 Legacy Series => Topic started by: adk20 on June 17, 2021, 12:15:59 am
-
After the update to 21.1.7, the Suricata alert log (Services > Intrusion Detection > Administration > Alerts) appears to be broken for me.
I can see the newest 7 entries (default setting). When changing the number of entries per page or viewing another page than the first, I see old entries from before the update. To see the newest 7 again, I need to navigate to an entirely different page (e.g. Lobby) and then go back to the alert log. Then the same happens again.
Rebooting and deleting the alert log didn't help. Neither did clearing my browser cache.
Any feedback is much appreciated.
-
The 21.1.7_1 hotfix did not solve this problem for me. Any ideas as to what might be the cause of this bug?
-
Hotfix was for pfTables page and DNS API resolver consumers, not for intrusion detection / log files. So far nobody else reported what you are seeing.
Are you sure this is a problem with the page and not with the log file / logging settings in intrusion detection? Might be best to clear the log and see if that helps.
Cheers,
Franco
-
@Franco, thanks for your response.
Unfortunately, deleting the log file does not fix the issue. I am also unsure which setting should cause this odd behavior. Any hints in this regard are much appreciated. However, I would think that the GUI does not allow you to configure settings that break functionality!?
Moreover, the issue only arose after the upgrade to 21.1.7. I haven't touched the Suricata log settings in months.
When I open one of the logs from the previous weeks, everything works as expeced. Flipping through the pages, changing entries per page and so on.
In the current log, I can only view the first seven entries. Clicking through the pages or changing the number of entries per page etc. results in a blank page - "no results found!".
I did reset the log and deleted this and last weeks' logs. A new log with a fresh time stamp is created but, alas, the problem persists.
On a side note: What I noticed before but didn't pay much attention to is that when I have 50 entries per page displayed, the following is displayed at the bottom of the page: "Showing 1 to 7 of 51 entries". Has anyone else observed this?
I am at my wit's end. Any clues are much valued.
Cheers,
adk
-
I have just checked it. The error occurs before Opnsense 21.1.7. In my case since last 13th. I have cleared the browser cache, updated Opnsense to 21.1.7.1 and the problem persists.
-
Maybe https://github.com/opnsense/core/commit/644b647cf
# opnsense-patch 644b647cf
Cheers,
Franco
-
Solved. I cleared the alert log and it seems to be working. Before that it had gone from 7 results to 50 results in the alert log. When I went back to 7 results it was showing the data correctly. I still deleted all the alert logs.
-
Fixed without applying the new patch.
-
I was wrong, it is not solved, you have to apply the patch. When reloading the results of the alerts they disappear.
-
This is all rather fishy to be honest...
Cheers,
Franco
-
I don't know what you mean by suspicious. We just want to help things run smoothly. I've posted a lot of screenshots explaining the problem and the possible solutions I've been able to find. If you think it's bad that we're trying to help you find and fix problems, just say so.
-
To me it is simply unclear from the multiple posting structure if you applied the patch, how much success you had or how it was different or if the problem persisted.
-
I posted the comments and images in order as things happened, as is logical and normal and without having applied the patch and the problem was not solved. It couldn't be clearer. Now I have applied the patch and it seems that the problem has been solved.
-
After applying the new patch, all alerts are well recorded.
-
The problem is that the number of results does not correspond to the number of page views. This has not been resolved with the new patch.
I hope this is clear to you. It would be appreciated if you could be nicer to those of us who just want to help.
-
Thanks to all trying to shed some light on this matter. I truly appreciate your efforts.
I assume the patch Franco mentioned will be incorporated in the next release of OpnSense, right?
So I will be patient and see whether the problem will disappear with the next update.
@Franco: Could you meanwhile reproduce the issue?
-
I can reprocude this as well.
Without patch:
- Go to alerts
- Change Page or count from 7 to X
- Alerts completly disappear even when changing back to 7
With patch:
- changing count from 7 does not have any effect
- changing page works
Question beside that, why 7? Any chance to default this to something usefull?
-
I can reprocude this on our opnsense:
OPNsense 21.1.7_1-amd64
FreeBSD 12.1-RELEASE-p18-HBSD
OpenSSL 1.1.1k 25 Mar 2021
(https://i.imgur.com/WQRiJyh.gif)
-
I can confirm that I'm seeing the same thing. It's hard to tell if the UI is displaying all alerts or not. The date selector UX seems odd / broken to a new user given the fact that there's nothing select-able (date / time range, etc).
Also on the latest hotfix.
-
the same happened to me. the same problem, exactly the same.
-
There was an issue with the previous patch, see https://github.com/opnsense/core/commit/e2bc22ebda9b
Cheers,
Franco
-
Is this issue solved?. How can solve it?.
-
# opnsense-patch 644b647cf e2bc22ebda9b
Cheers,
Franco
-
Many thanks franco. I'll try it soon.
Regards