Messages

1

22.1 Legacy Series / Re: Syslog, Graylog, not human readable logs?

« on: June 04, 2022, 01:47:03 pm »

Hello

All messages were showing the firewall ip in Source. so 192.168....
Nothing else was readable except Timestamp.

2

22.1 Legacy Series / Re: Syslog, Graylog, not human readable logs?

« on: May 29, 2022, 11:34:39 am »

Here comes the "limit" of dockers approach. I added the Netflow plugin set the port but nothing was coming in.
Quick check the port was not open, which I put on the fact I didn't declare it during the docker setup.

Anyway, I stopped the Syslog input and moved Netflow to the 1514 port. It receives well the data and as you said in clear readable format. So having the right plugin help

@cditty not sure if that relates to your initial issue.

Now just need to learn Grafana and how to build the proper reports.

Thanks and sorry to have kind of Hijacked the initial thread.

3

22.1 Legacy Series / Re: Syslog, Graylog, not human readable logs?

« on: May 29, 2022, 03:17:06 am »

Thanks.
I’m using Maxmind for the outside world. It works fine except sometimes not populating the city for dst_ip (seems random).

The objective was more for internal ips, like 192.168.30.4 = computerxxx. I was wondering if there was a way to pass the information in the logs send from opnsense. If not, yes maybe lookup table can help.

4

22.1 Legacy Series / Re: Syslog, Graylog, not human readable logs?

« on: May 28, 2022, 03:03:16 pm »

Side note and back to the non-readable. I disabled sending syslog and tried to send Netflow. These logs are not readable. 

5

22.1 Legacy Series / Re: Syslog, Graylog, not human readable logs?

« on: May 28, 2022, 02:36:37 pm »

I tried docker, just to "learn" about it a bit and for testing. It should help to keep things isolated, not polluting too much the server when I finally decide what to use between Graylo, Influxdb, Victoriametrics, Grafana.

Does anyone know how to send local hostname along with the ip? it would be easier to track which wonderful iOTs device tries to talk too much.

6

22.1 Legacy Series / Re: Syslog, Graylog, not human readable logs?

« on: May 26, 2022, 07:36:29 pm »

Thanks
Eventually I modified the graylog.conf file in xxxxx/docker/volumes/monitoring_graylog_data/_data/config, that fixed it.

I can't test ntopng, it requires to upgrade to 22.1.8 to install the plugin, which I will avoid looking at the other thread

7

22.1 Legacy Series / Re: Syslog, Graylog, not human readable logs?

« on: May 26, 2022, 05:13:54 pm »

Same, installation in Docker, still need to figure out why it didn’t take the proper time sone in the config and how to change.

I set the stream rule on “source”=myopensense hostname.
Sending all syslog for now to the stream, i’ll probably split in different stream later. No garbage log, everything is properly populating the fields. I’m using the extractor provided by bsmithio but will probably convert the one from pfsense and change.
The grafana dashboard provided by bsmithio displays the map properly too.

I tried Graylog dashboard, but it seems pretty limited with free version. I couldn’t figure out how to create a map.

Next step will be to send ntopng to Graylog and see what i can get. Then slowly work on the dashboards.

8

22.1 Legacy Series / Re: Syslog, Graylog, not human readable logs?

« on: May 26, 2022, 01:05:35 pm »

I duplicated the default one with dst_ip. I like to know where things connect
It resolving only country probably becasue the line is
let geo = lookup("geoip", to_string($message."src_ip"));

Trying yours now, but being in a docker might require some adjustments for the file locations.
This guy was able to make it work in Grafana for the country part.
https://github.com/bsmithio/OPNsense-Dashboard
But that might be thanks to a change of format through Content pack or extractor. I'll dig into that later.

9

22.1 Legacy Series / Re: Syslog, Graylog, not human readable logs?

« on: May 26, 2022, 12:32:45 pm »

Indeed learning curve.
Thanks to your message I figured out why I was receiving no message (sending to TCP which was not active instead of UDP).
So now I managed to send Syslog to a dedicated stream in Graylog, progress...
Still can't figure out why the GeoIP is not yet working but have some ideas (just looking at src_ip).

Funny how I didn't even think about sending Netflow and was looking at ntopng.

And here comes which is log is best for what, before even starting yet to create dashboard in Grafana.

10

22.1 Legacy Series / Re: Syslog, Graylog, not human readable logs?

« on: May 26, 2022, 07:39:11 am »

Hello,

I've started to work on the same topic this weekend, first looking at Telegraf/Influxdb/Grafana. But I don't collect enough information as I'm mostly interested in monitoring:
- User/device (IP)  traffic usage and destinations
- Suricata monitoring
- Firewall
- Bandwith

So started to look at Graylog and inspiration from this https://github.com/lephisto/pfsense-analytics.
Now the issue is to convert the extractor to OpnSense but not being able to read the Syslog message sent to Graylog is not helping.

Would you mind to share, what you have done so far? Did you create your own Extractor ?
Do you collect all logs or just some in Graylog ?
"I added a rule to throw out anything with a facility_num <= 0": did you do that in Graylog Stream ?

Thanks

11

Zenarmor (Sensei) / Re: No interface selected - no report ...

« on: July 22, 2021, 07:07:51 pm »

Hello,

It's fixed. I tried few things:
- Changed the mode to passive and so on. Each time it updated the reports but then nothing.
- Then I changed back the log to INFO, which I previously had at Error. When I did that strangely the "enter Bypass mode" button changed to a red "Sop bypass mode".

Stoping bypass mode fixed the issue...

What is strange is that:
- a full reset din't bring back Sensei to normal mode
- The button "stop bypass" appeared only when I changed the log level.

 

12

Zenarmor (Sensei) / No interface selected - no report ...

« on: July 22, 2021, 03:19:22 am »

Hi all,

I installed Sensei few days ago and everything was working fine. But then to troubleshoot some other issues, I first click bypass mode, then removed interfaces.
Once the rest was fixed, I  added back the interface and restarted. Now status is showing "no interface selected", I have no reports.

I tried to full re-install/reset Sensei, still the same.

Any idea where to look and fix?

Thanks

13

General Discussion / ExpressVPN setup blocking everything except Aliases + weird

« on: July 17, 2021, 05:46:42 pm »

Hi all,

I have 3 physical interfaces:
- WAN
- LAN (192.168.30.0/24)
- WIFI (192.168.60.0/24)

The objective is to have 3 devices from WIFI to use the VPN (defined in Aliases).

I followed the instruction from expressvpn here https://www.expressvpn.com/support/vpn-setup/pfsense-with-expressvpn-openvpn/ adjusted for opnsense.

At the end of the openvpn client configuration, connection status shows up and connected.
The interface assignment show "opvnc1 (00:00:00:00:00)".
Created the aliases for the 3 devices,
Created the NAT using VPN interface
Created Firewall rule using WIFI interface (I tried all interface for the sake of it...).

once everything is setup, no traffic is going through the VPN. ipleak.net shows ISP location.

If I change the expressevpn server in the client configuration:
- the 3 devices are properly using the VPN showing the right DNS
- All other devices, including the ones connected to LAN, lose all internet connection.

The only way to recover access is to open the VPN interface and save it (Without making any change). But when I do so, the 3 devices revert back to ISP DNS, not using anymore the VPN...

Any ideas of what could be wrong ?

Thanks.