The new syslog-ng is not fully baked. I have remote syslogs being sent for over a year. I created a new log analysis for further testing and duplicated the current destination (System>>Settings>>Logging/Targets) and update the duplicate with the new IP address. After a few hours troubling shooting, noticed tcpdump didn't yield any results. I rebooted OPNsense and started receiving logs but not the same as the duplicated instance. I utilized a network tap and moloch to capture the traffic (full packet capture). Next, I filtered on port 5140 saw OPNsense sending to two instances. Upon analysis of the traffic, I noticed the original had what I needed but the newly setup instances is only receiving NTPD logs. Settings are identical...what the heck is going on and why are this settings not taking?
I really have enjoyed OPNsesne but looking to make the switch back to pfSense where things just work a little better.
I'm wondering if the following OPNsense commit fixed the issue you might be having:
https://github.com/opnsense/core/commit/cda4e3561f511fb75a7a7922b329d5581ae2c3b7 (https://github.com/opnsense/core/commit/cda4e3561f511fb75a7a7922b329d5581ae2c3b7)
Not aware of any issues with the config, maybe you can share your settings preferably by screenshot.
The particular patch was for syslog-ng crashing due to a race on the socket creation.
Cheers,
Franco
I did a clean install today and everything is now working....weird.
I had a very stable machine (HP 290 w/Celeron G4900 3.1GHz 4GB RAM 16GB NVME) running 20.1.1, CPU use was typically about 15% and would occasionally bump up to 60%. The system ran for 60 days continuous uptime, no issues.
I upgraded to 20.1.5 today, and it is now running at 60% CPU (idle) and spiking up to 100%, with temps 10-15 degrees C higher than before.
The activity log shows the culprit is syslog-ng which is using 60+% of WCPU.
Anyone else having this problem? Wondering how to fix it, other than just shutting down the syslog service.