OPNsense Forum

English Forums => General Discussion => Topic started by: JasMan on December 31, 2018, 04:00:50 pm

Title: Logging for all firewall rules
Post by: JasMan on December 31, 2018, 04:00:50 pm

Hey,
I'm curios if OPNsense has a switch or option, where I can enable the logging for all firewall rules at once.

Why? When the ruleset becomes bigger and bigger, and you found out that an client has access to something that it shouldn't have, it's difficult to find the rule which allowes the traffic.
In this case it would be great to temporary enable the logging for all rules at once to check the log which rule allowes the specific traffic.

Thank you.
Jas Man

Title: Re: Logging for all firewall rules
Post by: JasMan on January 11, 2019, 09:49:50 pm

Any idea?!

Title: Re: Logging for all firewall rules
Post by: marjohn56 on January 11, 2019, 11:37:31 pm

Not a single switch no. The default rules logging on/off is in System:Settings:Logging, the rest our down to the rules you've created.

Title: Re: Logging for all firewall rules
Post by: JasMan on January 12, 2019, 12:33:11 pm

What a shame  ;D

Do you agree that this would be a nice feature? My old Sophos UTM has this and I found it really helpful.

Title: Re: Logging for all firewall rules
Post by: marjohn56 on January 12, 2019, 01:16:28 pm

Maybe... Maybe not.


I'm on the fence.  :)

Title: Re: Logging for all firewall rules
Post by: JasMan on January 12, 2019, 02:52:11 pm

I've submitted a feature request: https://github.com/opnsense/core/issues/3124

Title: Re: Logging for all firewall rules
Post by: deeler on September 12, 2021, 02:20:06 pm

I'd love to see this feature too!

Title: Re: Logging for all firewall rules
Post by: 36thchamber on March 10, 2024, 12:49:12 am

Very needed feature but not understood, so we're stuck without it. Filterlog is the main source of evidence of network activity with other components often dropping the data. I log everything, and I wish there was a better view than "Plain View" to read it.

Title: Re: Logging for all firewall rules
Post by: CJ on March 10, 2024, 03:42:17 pm

Keep in mind that depending on the amount of traffic and rules you have that enabling logging for all of them can cause problems, such as filling up your drive and possibly slowing down your network.

Title: Re: Logging for all firewall rules
Post by: 36thchamber on March 11, 2024, 12:40:20 am

Thanks. I did the testing and there's no performance impact. The rate of messages isn't high, it's bit more than a DNS querylog which people store without doubts. It creates like 10MB per client per day, visible but not much, especially compared to ntopng. There will be turnover of 5GB per month for a 50 device network. Ntopng will do it in 1 day. It's a very light logging, not tracing size, so even in case of high throughput like speedtest, it will drop just very few messages. So it's valuable per size and the only source of information of blocked requests.

Monthly turnover example:

Quote

noptng (100GB) > zenarmor (20GB) > ...... > filterlog (5GB) > dnslog (4GB) > flowlog (1.5GB) > dhcplog (1.5GB) > .... > crowdsec (16MB) > firewalllog (15MB)

Thinking maybe it's not needed i turned it off yesterday for all pass requests. But next day I found myself clueless about what's going on. The most frequently accessed window Live View got empty, I thought this one is fetched somehow realtime from the process. Now this switch makes even more sense!  I'm back in "log all" camp and hope for "Plain View" parsing in future. If "Live View" is a filterlog reader, then it can either be expanded even further to the past, or use its code in "Plain View". All those other logs count something (with a great packet loss) but don't show the blocked requests or interface path.