Show Posts
1
General Discussion / OPNsense sshd logs to central logserver (Graylog)
« on: January 18, 2024, 04:37:56 pm »
Hi Everyone I hope someone can help me.
I'm trying to set up some alerting in Graylog for ssh logins to my OPNsense.
In general it's working since I enabled logging targets for "audit".
But on Graylog I just receive audit logs concerning WebGui (config changes, WebGui Logins etc.)
So I checked on the filesystem and it seems that OPNsense is just pushing /var/log/audit.log entries to central syslog and not the log entries from /var/log/audit/audit*.log. These logs seem also to be the one used in the WebGui (System -> Log Files -> Audit)
Do I understand that correctly? Is there a way to get sshd audit logs sent to a central syslog server?
I'm trying to set up some alerting in Graylog for ssh logins to my OPNsense.
In general it's working since I enabled logging targets for "audit".
But on Graylog I just receive audit logs concerning WebGui (config changes, WebGui Logins etc.)
So I checked on the filesystem and it seems that OPNsense is just pushing /var/log/audit.log entries to central syslog and not the log entries from /var/log/audit/audit*.log. These logs seem also to be the one used in the WebGui (System -> Log Files -> Audit)
Do I understand that correctly? Is there a way to get sshd audit logs sent to a central syslog server?