Solution: that alias 9700 was broken and this stopped working the logging (for any reason). I found another hint in this forum, when you cannot delete an alias: I renamed it and applied, suddenly the console overloaded with error messages and rebootet.
After reboot the alias had still the old name, tried to renamed it again, and this time it worked. After apply the renamed alias, the firewall starts logging again!! ???
today I have upgraded my working 21.7 version opnsense to 22.1, after several reboots firewall logging stops.
OPNsense 22.1-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1m 14 Dec 2021
Intel(R) Xeon(R) CPU E5-2687W v2 @ 3.40GHz (4 cores, 4 threads)
VM Server 6.7 u3
root@gedu-opn:/var/log # service -e
/etc/rc.d/hostid
/etc/rc.d/hostid_save
/etc/rc.d/cleanvar
/etc/rc.d/kldxref
/etc/rc.d/ip6addrctl
/etc/rc.d/rctl
/etc/rc.d/mixer
/etc/rc.d/devmatch
/etc/rc.d/netif
/etc/rc.d/resolv
/etc/rc.d/devd
/usr/local/etc/rc.d/syslog-ng
/etc/rc.d/newsyslog
/etc/rc.d/os-release
/etc/rc.d/dmesg
/etc/rc.d/virecover
/etc/rc.d/gptboot
/etc/rc.d/motd
/etc/rc.d/syslogd
/etc/rc.d/savecore
/usr/local/etc/rc.d/flowd_aggregate
/usr/local/etc/rc.d/elasticsearch
/usr/local/etc/rc.d/eastpect
/usr/local/etc/rc.d/snmpd
/usr/local/etc/rc.d/c-icap
/usr/local/etc/rc.d/flowd
/usr/local/etc/rc.d/suricata
/usr/local/etc/rc.d/zabbix_agentd
/usr/local/etc/rc.d/squid
/etc/rc.d/cron
/usr/local/etc/rc.d/redis
/usr/local/etc/rc.d/clamav-clamd
/usr/local/etc/rc.d/clamav-freshclam
/etc/rc.d/bgfsck
I've tried several possible solution (googled) like delete all log files, restart syslog-ng service, clear logs via gui, an so on. Nothing helped.
root@gedu-opn:/var/log # ls -la /var/log
total 88
drwxr-xr-x 22 root wheel 1024 Feb 2 18:28 .
drwxr-xr-x 31 root wheel 512 Jan 25 08:09 ..
drwx------ 2 root wheel 512 Feb 2 18:01 audit
drwxr-x--- 2 c_icap c_icap 512 Feb 2 17:08 c-icap
drwxr-xr-x 2 clamav clamav 512 Feb 2 17:08 clamav
drwx------ 2 root wheel 512 Feb 2 18:01 configd
drwx------ 2 root wheel 512 Feb 2 16:58 dhcpd
drwxr-xr-x 2 elasticsearch elasticsearch 512 Feb 2 17:07 elasticsearch
drwx------ 2 root wheel 1024 Feb 2 16:58 filter
drwx------ 2 www www 512 Feb 2 18:01 lighttpd
drwxr-x--- 2 root wheel 512 Feb 2 16:58 maltrail
drwxr-xr-x 2 root wheel 2560 Feb 2 18:20 ntp
drwx------ 2 root wheel 512 Feb 2 18:01 ntpd
drwx------ 2 root wheel 512 Feb 2 18:06 pkg
drwx------ 2 root wheel 512 Feb 2 18:01 portalauth
drwxr-xr-x 2 redis redis 512 Feb 2 17:06 redis
drwx------ 2 root wheel 512 Feb 2 18:01 resolver
drwx------ 2 root wheel 512 Feb 2 16:58 routing
drwxr-x--- 2 squid squid 512 Feb 2 17:08 squid
drwx------ 2 root wheel 512 Feb 2 18:01 suricata
drwx------ 2 root wheel 512 Feb 2 18:01 system
drwxrwx--- 2 zabbix zabbix 512 Feb 2 16:58 zabbix
root@gedu-opn:/var/log #
Anything else you need for investigation or possible solution?
Also no syslog streams anymore to my syslog server. pflog0 file is empty
root@gedu-opn:/var/log # tcpdump -n -e -ttt -i pflog0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 262144 bytes
Update: when I enable login on allowed rules via GUI, I see the following messages on the console:
user xxxx@x.x.x.x changed configuration to /conf/backup/config-1643828188.9265.xml in /firewall_rules.php [/firewall_rules.php made changes]
then I press the apply button, I see:
/usr/local/etc/rc.filter_configure: There were error(s) loading the rules: /tmp/rules.debug:131: syntax error - The line in question reads [131]: 9700 = "{ }"
My next try is to recreate some of my hundres rules, to see if the upgrade broke the rule sets.
Update: not sure if this could be the issue, but when I try to delete that 9700 alias, I get a message:
Cannot delete alias. Currently in use by
[aliases.alias.1e2ff2a5-c6ad-4fc8-9015-7be8e1d335b3] 9700
but I have no rules which include the port 9700 alias?!