"
Exactly the way I used to use the live log and how we use the monitoring tab at work for finding important anomalies.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#1
23.1 Legacy Series / Re: Lamenting the change to firewall live log searching
February 27, 2023, 12:15:19 AM #2
23.1 Legacy Series / Re: Lamenting the change to firewall live log searching
February 24, 2023, 10:56:16 PM
Hello again :-)
It seems to be possible to use the live log in some way if one disables the auto refresh but in my world that is a "non-live log"
I have to investigate if I can use this for something useful but I do miss the old way which reminds a little bit of the monitor tab with search expression field in the other brand I was not mentioning.
Update: It is still rather difficult to get the result since it seems to show only after the view is filled.
If my window is set to show 25 rows, my query will only display anything when the result is 25 rows or more.. so it is rather backwards and no indication that anything is picked up with current filter arguments are shown versus the old behavior filled the view in a "live log" way.
Sorry for taking every ones time but I hope my feedback can make a difference somehow.
Update2: The resolve doesn't seem to work as my expectations but it might have to do with if the refresh is quick or if it takes some time to get enough data in the live log buffer.. I guess.
What I am suggesting is that the behavior is rather confusing.
Update3:
The auto refresh tick box could be renamed to auto clear since it is a more descriptive label ;-)
Other than that, I am even more confused after really trying to get the logic behind this with only trial and error and not reading a lot of manuals and developer discussion threads.
I guess I need to send my logs to a syslog server with some elastic functionality to be able to use the logs but I hope to be proven wrong asap.
It seems to be possible to use the live log in some way if one disables the auto refresh but in my world that is a "non-live log"
I have to investigate if I can use this for something useful but I do miss the old way which reminds a little bit of the monitor tab with search expression field in the other brand I was not mentioning.
Update: It is still rather difficult to get the result since it seems to show only after the view is filled.
If my window is set to show 25 rows, my query will only display anything when the result is 25 rows or more.. so it is rather backwards and no indication that anything is picked up with current filter arguments are shown versus the old behavior filled the view in a "live log" way.
Sorry for taking every ones time but I hope my feedback can make a difference somehow.
Update2: The resolve doesn't seem to work as my expectations but it might have to do with if the refresh is quick or if it takes some time to get enough data in the live log buffer.. I guess.
What I am suggesting is that the behavior is rather confusing.
Update3:
The auto refresh tick box could be renamed to auto clear since it is a more descriptive label ;-)
Other than that, I am even more confused after really trying to get the logic behind this with only trial and error and not reading a lot of manuals and developer discussion threads.
I guess I need to send my logs to a syslog server with some elastic functionality to be able to use the logs but I hope to be proven wrong asap.
#3
23.1 Legacy Series / Re: Lamenting the change to firewall live log searching
February 24, 2023, 10:46:05 PM
Thanks for the clarification.
I did read the discussions when the change was introduced but did not speak out because I thought it was just a temporary glitch that was to be fixed and there were fixes made shortly after the changed.
I can no longer find a way to drill down things using a few search arguments and then resolve the result, nor can I have a query that will auto-display what I'm interested in whenever it occurs.
In fact, I have a really hard time figuring out how people use the live log at all after the change.
I do not want to patch my system since I like to have it as stock as possible but maybe someone can explain how to use the live log in a decent way.
For instance, filter live data to show hostname for traffic from a specific source where the port is 1337 and it seems to happen every 5 minute.
On my box, the "live feed" briefly shows some rows but then disappears and a few new rows appears and when selecting resolv. things get even more weird if possible and in a few seconds the window is blank.
I guess that is supposed to happen and that's why I no longer have any use for the live log.
Please correct me if I'm wrong. This is not a rant even if it contains 100% rant material. I'd like to be corrected so much.
I did read the discussions when the change was introduced but did not speak out because I thought it was just a temporary glitch that was to be fixed and there were fixes made shortly after the changed.
I can no longer find a way to drill down things using a few search arguments and then resolve the result, nor can I have a query that will auto-display what I'm interested in whenever it occurs.
In fact, I have a really hard time figuring out how people use the live log at all after the change.
I do not want to patch my system since I like to have it as stock as possible but maybe someone can explain how to use the live log in a decent way.
For instance, filter live data to show hostname for traffic from a specific source where the port is 1337 and it seems to happen every 5 minute.
On my box, the "live feed" briefly shows some rows but then disappears and a few new rows appears and when selecting resolv. things get even more weird if possible and in a few seconds the window is blank.
I guess that is supposed to happen and that's why I no longer have any use for the live log.
Please correct me if I'm wrong. This is not a rant even if it contains 100% rant material. I'd like to be corrected so much.
#4
23.1 Legacy Series / Re: Lamenting the change to firewall live log searching
February 23, 2023, 08:10:07 PM
I feel your pain.
The current filtering is not working imho since any search term effectively makes the log disappear from the view.
I used to be able to enter a few arguments and then enable reverse lookup to see what's going on but that was long ago.
According to various forum posts from developers, this should be fixed but I don't see that on my end.
I am working with a rather well known enterprise firewall brand at work and querying the logs for various problems is in my world really important to find problems and then fix them.
The current filtering is not working imho since any search term effectively makes the log disappear from the view.
I used to be able to enter a few arguments and then enable reverse lookup to see what's going on but that was long ago.
According to various forum posts from developers, this should be fixed but I don't see that on my end.
I am working with a rather well known enterprise firewall brand at work and querying the logs for various problems is in my world really important to find problems and then fix them.
#5
22.7 Legacy Series / Re: Firewall rules, How do we see what changed?
November 16, 2022, 10:08:26 PM
A way to name configurations and revert back to an older *local* config (or just the previous config) would also be nice.
Of course that can be done with exporting but to have a few local configs to revert to is super nice imho
(just some more thoughts while discussing the subject)
Of course that can be done with exporting but to have a few local configs to revert to is super nice imho
(just some more thoughts while discussing the subject)
#6
22.7 Legacy Series / Re: "Lookup hostnames" no longer works in Firewall: Log Files: Live View
November 16, 2022, 10:02:29 PM
Ok, thanks for the explanation !
#7
22.7 Legacy Series / Re: Firewall rules, How do we see what changed?
November 16, 2022, 10:01:45 PM
I have been in the same situation applying "something" by mistake and looking for an undo or revert or so but it seems to be implied that changes are committed or staged for next reboot (whatever those changes was).
I wish there were a preview were staged changes would be presented and an option to discard those changes.
On the other hand, such behavior is mostly useful on firewalls that takes a rather long time to commit changes and all changes are committed in bulk.
Opnsense has "apply buttons" everywhere and a more direct approach for "commits"
I still think this could need a more practical gui experience..
(Just my 2c)
//Helle
I wish there were a preview were staged changes would be presented and an option to discard those changes.
On the other hand, such behavior is mostly useful on firewalls that takes a rather long time to commit changes and all changes are committed in bulk.
Opnsense has "apply buttons" everywhere and a more direct approach for "commits"
I still think this could need a more practical gui experience..
(Just my 2c)
//Helle
#8
22.7 Legacy Series / Re: "Lookup hostnames" no longer works in Firewall: Log Files: Live View
November 16, 2022, 09:51:38 PM
I applied the patch but have the same issue after.
Is a reboot necessary ?
//Helle
Is a reboot necessary ?
//Helle
#9
21.7 Legacy Series / Re: Upgrade to 21.7.5 did not succed completely
November 12, 2021, 08:47:28 AM
Ok. Thanks again
Now it's running fine again so I am thankful.
Now it's running fine again so I am thankful.
#10
21.7 Legacy Series / Re: Upgrade to 21.7.5 did not succed completely
November 12, 2021, 08:37:37 AMQuote from: RZR on November 12, 2021, 08:31:36 AMIt worked well for me tooQuote from: franco on November 12, 2021, 08:06:13 AM
Can you grab opnsense-update 21.7.5_2 from the main mirror? That should fix it.
Other mirrors will update too but it might take a bit.
Cheers,
Franco
Thanks Franco, that seems to have sorted it for me.
Thanks a lot Franco,
One question,
Would my system have rebooted successfully without the fix ?
#11
21.7 Legacy Series / Re: Upgrade to 21.7.5 did not succed completely
November 12, 2021, 08:32:46 AMQuote from: itoffshore on November 12, 2021, 07:51:18 AMlibreSSL it is
I received the same missing libssl.so.50 error on the 21.7.5 update - I'm on the libressl flavour
#12
21.7 Legacy Series / Upgrade to 21.7.5 did not succed completely
November 12, 2021, 12:56:09 AM
My upgrade of my system ended with:
The cleanup will free 21 MiB
Deleting files: .......... done
All done
ld-elf.so.1: Shared object "libssl.so.50" not found, required by "opnsense-verify"
Starting web GUI...done.
Generating RRD graphs...done.
ld-elf.so.1: Shared object "libssl.so.50" not found, required by "opnsense-verify"
***DONE***
It never rebooted as it was supposed to do and I am hesitant to reboot until I can expect it to reboot ok.
The gui says it's running 21.7.5 but the installed packages are still .4 and health audit is complaining about not running the expected kernel (which is expected)
The firewall is an APU device with only serial console access so I really want to get some backing before rebooting.
The full installation log is attached
The cleanup will free 21 MiB
Deleting files: .......... done
All done
ld-elf.so.1: Shared object "libssl.so.50" not found, required by "opnsense-verify"
Starting web GUI...done.
Generating RRD graphs...done.
ld-elf.so.1: Shared object "libssl.so.50" not found, required by "opnsense-verify"
***DONE***
It never rebooted as it was supposed to do and I am hesitant to reboot until I can expect it to reboot ok.
The gui says it's running 21.7.5 but the installed packages are still .4 and health audit is complaining about not running the expected kernel (which is expected)
The firewall is an APU device with only serial console access so I really want to get some backing before rebooting.
The full installation log is attached
#13
21.1 Legacy Series / Re: 21.1.6 broke Firewall Live Log Filter?
May 29, 2021, 11:22:25 PMQuote from: Helle on May 29, 2021, 10:55:47 PMTried the patch and it works fine.
i will try the patch.
And report back
/Anders
Both saving and recalling, It seems just fine.
Thanks @franco
#14
21.1 Legacy Series / Re: 21.1.6 broke Firewall Live Log Filter?
May 29, 2021, 10:55:47 PM
i will try the patch.
And report back
/Anders
And report back
/Anders
#15
21.1 Legacy Series / Re: 21.1.6 broke Firewall Live Log Filter?
May 29, 2021, 07:59:59 PM
For me, it works but is broken..
I can select a filter "host = 10.0.1.23"
save it as template
When I restore the named template it gives me "dst = 10.0.1.23" instead of "src,dst = 10.0.1.23"
Nice feature and hopefully soon working well.
I wonder if anyone is using Paloalto firewalls? They have very flexible log filtering where you can click anything interesting in the live log and instantly get it added to the "filter bar" a bit like how wireshark filtering works..
I can select a filter "host = 10.0.1.23"
save it as template
When I restore the named template it gives me "dst = 10.0.1.23" instead of "src,dst = 10.0.1.23"
Nice feature and hopefully soon working well.
I wonder if anyone is using Paloalto firewalls? They have very flexible log filtering where you can click anything interesting in the live log and instantly get it added to the "filter bar" a bit like how wireshark filtering works..
