"
Could please someone confirm that behaviour of audit logs?
Otherwise I will continue trying to troubleshoot this :-)
Otherwise I will continue trying to troubleshoot this :-)
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
General Discussion / Re: OPNsense sshd logs to central logserver (Graylog)
January 22, 2024, 11:03:15 AM #2
General Discussion / OPNsense sshd logs to central logserver (Graylog)
January 18, 2024, 04:37:56 PM
Hi Everyone I hope someone can help me.
I'm trying to set up some alerting in Graylog for ssh logins to my OPNsense.
In general it's working since I enabled logging targets for "audit".
But on Graylog I just receive audit logs concerning WebGui (config changes, WebGui Logins etc.)
So I checked on the filesystem and it seems that OPNsense is just pushing /var/log/audit.log entries to central syslog and not the log entries from /var/log/audit/audit*.log. These logs seem also to be the one used in the WebGui (System -> Log Files -> Audit)
Do I understand that correctly? Is there a way to get sshd audit logs sent to a central syslog server?
I'm trying to set up some alerting in Graylog for ssh logins to my OPNsense.
In general it's working since I enabled logging targets for "audit".
But on Graylog I just receive audit logs concerning WebGui (config changes, WebGui Logins etc.)
So I checked on the filesystem and it seems that OPNsense is just pushing /var/log/audit.log entries to central syslog and not the log entries from /var/log/audit/audit*.log. These logs seem also to be the one used in the WebGui (System -> Log Files -> Audit)
Do I understand that correctly? Is there a way to get sshd audit logs sent to a central syslog server?
Pages1
