Please help me to understand the live log correctly. I am having extreme problems looking up anything there for debugging purposes. I mostly switch back to TCPDUMP.
For example I have a mailserver. I go into the livelog, enter the filter "src IP mailserver" or "dst IP mailserver" and nothing is displayed.
Neither my ping tests, nor the mails coming in, nor anything else.
At the same time, several mails per second go through this server, but I can't see anything in the livelog.
Do I need to check "enable logging" everywhere in the ruleset?
The mail server is in a DMZ, which means that all connections have to go through the firewall and therefore have to be visible in the livelog.
Maybe I have too many connections, so it can't show up in the livelog? I do not know exactly where I see the active connections, but the firewall has 32k active states.
don't get me wrong, when i run the livelog without filter, i see dozens of entries that change very quickly.
Is this traffic shown in live log without filters set?
Is logging of default allow traffic or for specific rule enabled?
I think I have now understood how OPNSense thought of it.
first i disabled the default log rules:
Log packets matched from the default block rules put in the ruleset
Log packets matched from the default pass rules put in the ruleset
Log packets processed by automatic outbound NAT rules
So there are much(!!) less entries in the live log. And if I now activate "enable logging" in a firewall rule, it also appears in the live log.
Are there any best practices which rules should be logged by default?
Yes, that is why I asked... when logging is not enabled, it will not be shown in live log ;)
To reduce wear of my SSD I am only logging a very few actions/ rules in everyday life, espacially forwards and blocks for DNS purposes or blocks of some filter lists (to detect malicious activity).
This causes that I can see about 2 weeks backwards in livelog with 1000 entries.
If I need to debug, I will enable logging for affected rules temporarily.