Text only | Text with Images

OPNsense Forum

Archive => 19.7 Legacy Series => Topic started by: senpai on August 29, 2019, 10:49:53 PM

Title: Upgraded from 19.1. to 19.7 and firewall rule logging has stopped
Post by: senpai on August 29, 2019, 10:49:53 PM
Upgrade went without a hitch except for the logging rules I had set for my LAN and WAN firewall rules are not being set over syslog any more.  I use Splunk as my log aggregator and investigation tool.

The only events being sent over is from System->Settings->Logging->Remote Logging Options->Remote Syslog Content.

I checked: Firewall->Rules->LAN and double checked that Logging is checked off.  I turned it off, saved and turned it back on, but still no events.

I have manually rebooted the box a few time, but no changes there.

Here is a copy/pasta of legacy-remote.conf (syslog-ng-destinations is empty):


Code Select
destination d_legacy_remote {

network("192.168.1.151:514" transport("udp") port(514) ip-protocol(4) );

};



# section filters
filter f_remote_system {
    not facility(daemon, local0, local1, local2, local3, local4, local5, local6, local7, user);
};
filter f_remote_filter {
    program(filterlog);
};
filter f_remote_dhcp {
    program("dhcrelay") or
    program("dhcpd");
};
filter f_remote_dns {
    program("unbound") or
    program("dnsmasq");
};
filter f_remote_mail {
    program("postfix");
};
filter f_remote_portalauth {
    program("captiveportal");
};
filter f_remote_vpn {
    program("l2tps") or
    program("poes") or
    program("pptps") or
    program("charon") or
    program("openvpn") or
    program("tinc*");
};
filter f_remote_ids {
    program("suricata");
};
filter f_remote_apinger {
    program("dpinger");
};
filter f_remote_relayd {
    program("haproxy") or
    program("relayd");
};
filter f_remote_hostapd {
    program("hostapd");
};

### log section system ####
log {
    source(s_all);
    filter(f_remote_system);
    destination(d_legacy_remote);
};
### log section filter ####
log {
    source(s_all);
    filter(f_remote_filter);
    destination(d_legacy_remote);
};
### log section portalauth ####
log {
    source(s_all);
    filter(f_remote_portalauth);
    destination(d_legacy_remote);
};
### log section vpn ####
log {
    source(s_all);
    filter(f_remote_vpn);
    destination(d_legacy_remote);
};
### log section ids ####
log {
    source(s_all);
    filter(f_remote_ids);
    destination(d_legacy_remote);
};
### log section apinger ####
log {
    source(s_all);
    filter(f_remote_apinger);
    destination(d_legacy_remote);
};
Title: Re: Upgraded from 19.1. to 19.7 and firewall rule logging has stopped
Post by: senpai on August 30, 2019, 03:54:44 AM
[UPDATE] - not resolved by normal means, but I installed a Splunk Forwarder agent and I am currently forwarding /var/log/filter.log to my Splunk servers directly, in real-time. 

A band-aide job for sure, but still very puzzling why /var/log/filter.log is not being sent when others are. 
Text only | Text with Images