I don't understand Firewall's Live Log

[c-mu]

Hello,
I do not understand the live log. I see all sorts of information there, but when I specifically want to investigate a case for which there is a firewall rule, I don't see it.

Inside the rule there is a check mark "Log packets that are handled by this rule". For example, if I ping this server that is noted in the rule, it doesn't show up in the livelog. Why not?

I can put in a simple rule "icmp allow to server IP 1.2.3.4", I set the checkbox and look in the live log if it is being tracked. I start my ping (works) and watch the log but no entry to be found.

I keep running into this problem so the live log has never given me any benefit to date. I have then always used tcpdump on the console.

Am I missing something fundamental? It also doesn't matter which filter I use, i.e. whether I search for source , destination or "address", I don't see what I need.

Thank you for your time

Edit: is there an option to log every thing? I mean my log destination is a RAM disk with 30Gigs free space. Time Range? usually never needed the last past hours, only the time "now"

[tiermutter]

I never had such issues. Are you sure the rule is hit? You can inspect this with the "inspect" button (FW rules).

[c-mu]

i am absolutely sure. For testing purposes I have installed an icmp rule at the top and armed it only for my client ip. If I forbid icmp, no ping comes through, if I allow it, it works again.

[tiermutter]

I can confirm this for IPv6, tested with 22.1.1_3.
ICMPv6 is not shown in livelog, ICMPv4 is shown in livelog as expected.

[tiermutter]

Sorry, too fast.... ICMPv6 is also shown in livelog.
   
WG0   2022-02-18T13:32:11   fd00:13:18::3   2a00:xxxx:xxxx:xx::xxx     ipv6-icmp

[c-mu]

I just noticed something : I can't find any livelog entries that run over openvpn. I also can't select an interface in the livelog filter that has to do with openvpn. VLANs yes, IPSec yes, but no openvpn.

[tiermutter]

Same here, no possibility to select interface=ovpn, as I don´t have a OVPN interface added.
But every OVPN pass rule is logged, including ICMP.

[wbk]

It helped me quite a lot to add tags to rules, so that I could filter on them.

It also happens that a previous (not logged) rule captures the occurrence.

Turning the filter around might help as well: define all kinds of things you do not want to see, and turn of the auto refresh; then show a couple of hundred records.

I do agree, without being involved in the log daily, it is not quite straight forward what to look for. I have no suggestions for improvement though!