Text only | Text with Images

OPNsense Forum

English Forums => 24.7, 24.10 Legacy Series => Topic started by: tekgeek on September 10, 2024, 07:01:21 PM

Title: IPS/IDS filling my log file
Post by: tekgeek on September 10, 2024, 07:01:21 PM
I enable IPS/IDS last night using "ETPRO Telemetry edition". I assume this is causing the log to fill with:

Notice   send_telemetry.py   telemetry data collected 16 records in 0.01 seconds

every 60 seconds. Is there a way to keep this from getting logged? It makes the "Live Log" widget absolutely useless.
Title: Re: IPS/IDS filling my log file
Post by: doktornotor on September 10, 2024, 07:30:21 PM
It's actually worse...  perhaps the below ticket should be renamed to "stop logging useless IDS junk".

https://github.com/opnsense/core/issues/7101
Title: Re: IPS/IDS filling my log file
Post by: planetf1 on September 10, 2024, 07:46:39 PM
Interesting - I posted earlier to https://forum.opnsense.org/index.php?topic=42729.0
and also to the suricata board https://community.emergingthreats.net/t/opnsense-suricata-rule-update-for-et-telemetry/1952/2
Title: Re: IPS/IDS filling my log file
Post by: doktornotor on September 10, 2024, 07:49:54 PM
This is the offending line - https://github.com/opnsense/plugins/blob/5a02d3867d5e074837a1de8af7ffbaa46552a89f/security/etpro-telemetry/src/opnsense/scripts/etpro_telemetry/send_telemetry.py#L82

Feel free to file another ticket about it. Should be DEBUG at best. Noone cares about such nonsense.
Title: Re: IPS/IDS filling my log file
Post by: tekgeek on September 10, 2024, 07:54:48 PM
AdSchellevis' attitude seems to be fix it yourself and give us your code or deal with it. It's kinda feeling like pfSense over here. I understand they are in the middle of a major GUI transition, but this seems like a sensible change and something the someone that works on OPNsense often could do one-handed in a few minutes. I wouldn't know where to start. I love OPNsense and I'm not going anywhere, but that interaction leaves a bad taste in my mouth.
Title: Re: IPS/IDS filling my log file
Post by: doktornotor on September 10, 2024, 07:58:31 PM
Well, they have some deal with the signature vendor about telemetry. However, it should be kept within reasonable limits.

Finally did a PR for the original issue which should significantly (~40x) reduce the logs for the stats at least.  https://github.com/opnsense/core/pull/7857
Title: Re: IPS/IDS filling my log file
Post by: tekgeek on September 10, 2024, 08:06:13 PM
I looked for a PR before I responded before. I see it now. I really don't care how often they send the data. Just make the logs sensible. Maybe collate the data and log it every hour.

Thankyou for your help and the PR.
Title: Re: IPS/IDS filling my log file
Post by: doktornotor on September 10, 2024, 08:15:42 PM
Another one for your noise...

https://github.com/opnsense/plugins/pull/4228
Title: Re: IPS/IDS filling my log file
Post by: tekgeek on September 10, 2024, 08:47:14 PM
 :o 🎉
Title: Re: IPS/IDS filling my log file
Post by: badbroccoli on October 31, 2024, 06:23:09 PM
Quote from: doktornotor on September 10, 2024, 08:15:42 PM
Another one for your noise...

https://github.com/opnsense/plugins/pull/4228

Thanks! Subscribed to the issue. Hopefully it can get merged soon.

Edit: Just a few minutes after I posted this it was merged. Woot! Thanks all.
Text only | Text with Images